Azure resources with non-compliant policy rules
Azure Policy helps to enforce organizational standards and assess compliance at-scale. Azure Policy is commonly used for implementing governance for resource consistency, regulatory compliance, security, cost, and management purposes. This search allows you to identify any configuration issues within Azure that do not comply with the default, or custom policies you might have implemented in your Azure environment.
Data required
Microsoft: Azure data
Procedure
- Configure the Microsoft Azure Add-on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:securityCenter:task" | rex field=properties.securityTaskParameters.resourceId "\/\S+\/(?<resource>\S+)" | search resource="*" | stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource | rename properties.securityTaskParameters.severity AS Severity, properties.securityTaskParameters.resourceType AS "Resource Type", properties.securityTaskParameters.policyName AS Policy properties.securityTaskParameters.category AS "Alert Category" resource AS "Affected Resource" | search Policy=* | sort + Severity, "Alert Category" | fields _time Severity "Alert Category" "Affected Resource" "Resource Type" Policy
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="azure:securityCenter:task" | Search Azure data and filter to the Security Center sourcetype. |
| rex field=properties.securityTaskParameters.resourceId "\/\S+\/(?<resource>\S+)" | Extract the resource name from the field value contained within it. |
| search resource="*" | Filter to events that contain a resource field. |
| stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource | Count by interesting fields. |
| search Policy=* | Filter to events that contain the Policy field. |
| sort + Severity, "Alert Category" | Sort by the Severity and Alert Category fields. |
| fields _time Severity "Alert Category" "Affected Resource" "Resource Type" Policy | Specify which fields are displayed in the result. |
Next steps
You can use the results of this search to identify any configuration issues within Azure that do not comply with the default and that need to be amended, or to audit custom policies you might have implemented in your Azure environment.
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.