Skip to main content
Splunk Lantern

Azure resources with non-compliant policy rules

 

Azure Policy helps to enforce organizational standards and assess compliance at-scale. Azure Policy is commonly used for implementing governance for resource consistency, regulatory compliance, security, cost, and management purposes. This search allows you to identify any configuration issues within Azure that do not comply with the default, or custom policies you might have implemented in your Azure environment.

Data required 

Microsoft Azure data

Procedure

  1. Configure the Microsoft Azure Add-on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:securityCenter:task"
| rex field=properties.securityTaskParameters.resourceId "\/\S+\/(?<resource>\S+)"
| search resource="*"
| stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource
| rename properties.securityTaskParameters.severity AS Severity, properties.securityTaskParameters.resourceType AS "Resource Type", properties.securityTaskParameters.policyName AS Policy properties.securityTaskParameters.category AS "Alert Category" resource AS "Affected Resource"
| search Policy=*
 | sort + Severity, "Alert Category"
 | fields _time Severity "Alert Category" "Affected Resource" "Resource Type"  Policy

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="azure:securityCenter:task" Search Azure data and filter to the Security Center sourcetype.
| rex field=properties.securityTaskParameters.resourceId "\/\S+\/(?<resource>\S+)" Extract the resource name from the field value contained within it.
| search resource="*" Filter to events that contain a resource field.
| stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource Count by interesting fields.
| search Policy=* Filter to events that contain the Policy field.
 | sort + Severity, "Alert Category" Sort by the Severity and Alert Category fields.
 | fields _time Severity "Alert Category" "Affected Resource" "Resource Type"  Policy Specify which fields are displayed in the result.

Next steps

You can use the results of this search to identify any configuration issues within Azure that do not comply with the default and that need to be amended, or to audit custom policies you might have implemented in your Azure environment.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.