Azure Platformlogs Falco rules

Scroll Top DATABASE SERVICES 2rules FUNCTION APPS 5rules LOGGING AND MONITORING 1rules NETWORKING 2rules SQL SERVER 2rules STORAGE ACCOUNTS 11rules

Total 21 rules.

DATABASE SERVICES

Azure Auditing on SQL Server Has Been Disabled

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
Azure Server Vulnerability Assessment on SQL Server Has Been Removed

Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

FUNCTION APPS

Azure Function App Deleted

A function app has been deleted.

cloud azure azure_function_apps
Azure Function App Deployment Slot Deleted

A function app deployment slot has been deleted.

cloud azure azure_function_apps
Azure Function App Host Key Deleted

A function app host key has been deleted.

cloud azure azure_function_apps
Azure Function App Host Master Key Modified

A function app host master key has been renewed.

cloud azure azure_function_apps
Azure Function Key Deleted

A function key has been deleted.

cloud azure azure_function_apps

LOGGING AND MONITORING

Azure Diagnostic Setting Has Been Disabled

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

cloud azure azure_logging_and_monitoring cis_azure_5.1.1 cis_controls_6.5

NETWORKING

Azure RDP Access Is Allowed from The Internet

The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.

cloud azure azure_networking cis_azure_6.1 cis_controls_9.2
Azure SSH Access Is Allowed from The Internet

The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

cloud azure azure_networking cis_azure_6.2 cis_controls_9.2

SQL SERVER

Azure Auditing on SQL Server Has Been Disabled

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
Azure Server Vulnerability Assessment on SQL Server Has Been Removed

Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

STORAGE ACCOUNTS

Azure Access Level creation attempt for Blob Container Set to Public

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Creation attempt Azure Secure Transfer Required Set to Disabled

The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Creation attempt Azure Default Network Access Rule for Storage Account Set to Allow

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
Azure Access Level for Blob Container Set to Public

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it’s recommended to set allowBlobPublicAccess false.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Azure Default Network Access Rule for Storage Account Set to Allow

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
Azure Secure Transfer Required Set to Disabled

The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.

cloud azure azure_storage_accounts cis_azure_3.1 cis_controls_14.4
Azure Blob Created

A blob has been created in a storage container.

cloud azure azure_storage_accounts
Azure Blob Deleted

A blob has been deleted from a storage container.

cloud azure azure_storage_accounts
Azure Container Created

A Container has been created.

cloud azure azure_storage_accounts
Azure Container Deleted

A Container has been deleted.

cloud azure azure_storage_accounts
Azure Container ACL Modified

A container ACL has been modified.

cloud azure azure_storage_accounts


Last modified November 4, 2021