Azure Platformlogs Falco rules
Scroll Top DATABASE SERVICES 2rules FUNCTION APPS 5rules LOGGING AND MONITORING 1rules NETWORKING 2rules SQL SERVER 2rules STORAGE ACCOUNTS 11rules
Total 21 rules.
DATABASE SERVICES
Azure Auditing on SQL Server Has Been Disabled
The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3Azure Server Vulnerability Assessment on SQL Server Has Been Removed
Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1FUNCTION APPS
Azure Function App Deleted
A function app has been deleted.
cloud azure azure_function_appsAzure Function App Deployment Slot Deleted
A function app deployment slot has been deleted.
cloud azure azure_function_appsAzure Function App Host Key Deleted
A function app host key has been deleted.
cloud azure azure_function_appsAzure Function App Host Master Key Modified
A function app host master key has been renewed.
cloud azure azure_function_appsAzure Function Key Deleted
A function key has been deleted.
cloud azure azure_function_appsLOGGING AND MONITORING
Azure Diagnostic Setting Has Been Disabled
A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.
cloud azure azure_logging_and_monitoring cis_azure_5.1.1 cis_controls_6.5NETWORKING
Azure RDP Access Is Allowed from The Internet
The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.
cloud azure azure_networking cis_azure_6.1 cis_controls_9.2Azure SSH Access Is Allowed from The Internet
The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.
cloud azure azure_networking cis_azure_6.2 cis_controls_9.2SQL SERVER
Azure Auditing on SQL Server Has Been Disabled
The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3Azure Server Vulnerability Assessment on SQL Server Has Been Removed
Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1STORAGE ACCOUNTS
Azure Access Level creation attempt for Blob Container Set to Public
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Creation attempt Azure Secure Transfer Required Set to Disabled
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Creation attempt Azure Default Network Access Rule for Storage Account Set to Allow
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16Azure Access Level for Blob Container Set to Public
Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.
cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16Azure Default Network Access Rule for Storage Account Set to Allow
Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.
cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16Azure Secure Transfer Required Set to Disabled
The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.
cloud azure azure_storage_accounts cis_azure_3.1 cis_controls_14.4Azure Blob Created
A blob has been created in a storage container.
cloud azure azure_storage_accountsAzure Blob Deleted
A blob has been deleted from a storage container.
cloud azure azure_storage_accountsAzure Container Created
A Container has been created.
cloud azure azure_storage_accountsAzure Container Deleted
A Container has been deleted.
cloud azure azure_storage_accountsAzure Container ACL Modified
A container ACL has been modified.
cloud azure azure_storage_accountsFeedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.