-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSecurity Center.csv
We can make this file beautiful and searchable if this error is corrected: Any value after quoted field isn't allowed in line 1.
72 lines (72 loc) · 34.9 KB
/
Security Center.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
"DisplayName";"Description";"Path"
"[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent";"Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_DefaultPipeline_Arc_Deploy.json"
"[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule";"Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_DefaultPipeline_DCRA_Arc_Deploy.json"
"[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule";"Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_DefaultPipeline_DCRA_Deploy.json"
"[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent";"Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_DefaultPipeline_Deploy.json"
"[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent";"Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target Arc machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_UserWorkspacePipeline_Arc_Deploy.json"
"[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule";"Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this Arc machine. Target Arc machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_UserWorkspacePipeline_DCRA_Arc_Deploy.json"
"[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule";"Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_UserWorkspacePipeline_DCRA_Deploy.json"
"[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent";"Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Microsoft Defender for Cloud collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AMA_UserWorkspacePipeline_Deploy.json"
"Auto provisioning of the Log Analytics agent should be enabled on your subscription";"To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json"
"Configure Azure Defender for App Service to be enabled";"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_AppService_Deploy.json"
"Configure Azure Defender for Resource Manager to be enabled";"Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_ARM_deploy.json"
"Configure Microsoft Defender for Containers to be enabled";"Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_Containers_Deploy.json"
"Configure Microsoft Defender CSPM to be enabled";"Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_CSPM_Deploy.json"
"Configure Azure Defender for DNS to be enabled";"Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_DNS_Deploy.json"
"Configure Azure Defender for Key Vaults to be enabled";"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_KeyVault_Deploy.json"
"Configure Azure Defender for open-source relational databases to be enabled";"Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_OpenSourceRelationalDatabases_Deploy.json"
"Configure Azure Defender for servers to be enabled";"Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_Servers_Deploy.json"
"Configure Azure Defender for Azure SQL database to be enabled";"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_SQLDatabase_Deploy.json"
"Configure Azure Defender for SQL servers on machines to be enabled";"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_SQLServers_Deploy.json"
"Configure Azure Defender for Storage to be enabled";"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Azure_Defender_Storage_Deploy.json"
"[Preview]: Configure Azure Defender for SQL agent on virtual machine";"Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureDefenderForSql_Deploy.json"
"[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent";"Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityLinuxAgent_Arc_Deploy.json"
"[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent";"Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityLinuxAgent_Deploy.json"
"[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent";"Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityLinuxAgent_VMSS_Deploy.json"
"[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent";"Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityWindowsAgent_Arc_Deploy.json"
"[Preview]: Configure supported Windows machines to automatically install the Azure Security agent";"Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityWindowsAgent_Deploy.json"
"[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent";"Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_AzureSecurityWindowsAgent_VMSS_Deploy.json"
"[Preview]: Configure ChangeTracking Extension for Linux Arc machines";"Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingLinuxAgent_Arc_DeployIfNotExists.json"
"[Preview]: Configure ChangeTracking Extension for Linux virtual machines";"Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingLinuxAgent_DeployIfNotExists.json"
"[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets";"Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingLinuxAgent_VMSS_DeployIfNotExists.json"
"[Preview]: Configure ChangeTracking Extension for Windows Arc machines";"Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingWindowsAgent_Arc_DeployIfNotExists.json"
"[Preview]: Configure ChangeTracking Extension for Windows virtual machines";"Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingWindowsAgent_DeployIfNotExists.json"
"[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets";"Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ChangeTrackingWindowsAgent_VMSS_DeployIfNotExists.json"
"Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.";"Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Deploy_auto_provisioning_log_analytics_monitoring_agent_custom_workspace.json"
"Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.";"Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Deploy_auto_provisioning_log_analytics_monitoring_agent_default_workspace.json"
"Email notification to subscription owner for high severity alerts should be enabled";"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification_to_subscription_owner.json"
"Email notification for high severity alerts should be enabled";"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Email_notification.json"
"Configure Microsoft Defender for APIs should be enabled";"Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_EnableDefenderForAPIM_Deploy.json"
"[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot";"Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_EnableLinuxSB_Deploy.json"
"[Preview]: Configure supported virtual machines to automatically enable vTPM";"Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_EnableVTPM_Deploy.json"
"[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot";"Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_EnableWindowsSB_Deploy.json"
"Deploy export to Event Hub for Microsoft Defender for Cloud data";"Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ExportToEventHubAzureSecurityCenterAlertsAndRecommendations_Deploy.json"
"Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data";"Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_ExportToLogAnalyticsWorkspaceAzureSecurityCenterAlertsAndRecommendations_Deploy.json"
"Guest Configuration extension should be installed on your machines";"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_GCExtOnVm.json"
"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity";"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_GCExtOnVmWithNoSAMI.json"
"[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension";"Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallGAExtOnSigVM_Deploy.json"
"[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension";"Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallGAExtOnSigVMSS_Deploy.json"
"Log Analytics agent should be installed on your Cloud Services (extended support) role instances";"Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallLaAgentOnCSES.json"
"Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring";"This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallLaAgentOnVm.json"
"Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring";"Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallLaAgentOnVmss.json"
"[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension";"Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallLinuxGAExtOnVM_Deploy.json"
"[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension";"Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallLinuxGAExtOnVmss_Deploy.json"
"[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension";"Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallWindowsGAExtOnVM_Deploy.json"
"[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension";"Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_InstallWindowsGAExtOnVmss_Deploy.json"
"[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines";"Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_MicrosoftDefenderForEndpoint_LinuxAgent_ARC_Deploy.json"
"[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines";"Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_MicrosoftDefenderForEndpoint_LinuxAgent_VM_Deploy.json"
"[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines";"Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_MicrosoftDefenderForEndpoint_WindowsAgent_ARC_Deploy.json"
"[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines";"Deploys Microsoft Defender for Endpoint on applicable Windows VM images.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_MicrosoftDefenderForEndpoint_WindowsAgent_VM_Deploy.json"
"Enable Microsoft Defender for Cloud on your subscription";"Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features.
Subscriptions already monitored will be considered compliant.
To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Register_To_Azure_Security_Center_Deploy.json"
"Subscriptions should have a contact email address for security issues";"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Security_contact_email.json"
"Security Center standard pricing tier should be selected";"The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_Standard_pricing_tier.json"
"Deploy - Configure suppression rules for Azure Security Center alerts";"Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_SuppressionRulesForAlerts_Deploy.json"
"Configure machines to receive a vulnerability assessment provider";"Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_VulnerabilityAssessment_ProvisionQualysAgent_Deploy.json"
"Deploy Workflow Automation for Microsoft Defender for Cloud alerts";"Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_WorkflowAutomationAzureSecurityCenterAlerts_Deploy.json"
"Deploy Workflow Automation for Microsoft Defender for Cloud recommendations";"Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_WorkflowAutomationAzureSecurityCenterRecommendations_Deploy.json"
"Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance";"Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/ASC_WorkflowAutomationAzureSecurityCenterRegulatoryCompliance_Deploy.json"
"Configure Microsoft Defender for Azure Cosmos DB to be enabled";"Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts.
Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/MDC_Microsoft_Defender_Azure_Cosmos_DB_Deploy.json"
"Configure Microsoft Defender for SQL to be enabled on Synapse workspaces";"Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases.";"https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Security Center/TdOnSynapseWorkspaces_Deploy.json"