Policy
Centralized logging policies
| Policy | Effect Type |
|---|---|
| Launchpad Centralized Logging Diagnostic logs: Azure Kubernetes Service | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: App Services | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Azure API Management Service | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Application Gateway | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Automation Account | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Azure Firewall | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Azure Database for MySQL | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Azure Database for PostgreSQL | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Azure Database for PostgreSQL v2 | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Bastion | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Container Registry | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Cosmos DB | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Data Lake Analytics | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Data Lake Store | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Event Hub | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Key Vault | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Load Balancer | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Logic App | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Network Security Group | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Public IP | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Service Bus | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: SQL DB | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Synapse DB | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Traffic Manager | DeployIfNotExists |
| Launchpad Centralized Logging Diagnostic logs: Virtual Network | DeployIfNotExists |
HCC policies
SGS HCC Attack Surface Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Storage Account Access Should be Private | Audit |
| SGS HCC Policy Databases should have network restrictions in place | Audit |
SGS HCC Encryption Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Object storage should be encrypted in transit | Audit |
| SGS HCC Policy App Services should only allow HTTPS traffic | Audit |
| SGS HCC Policy App Gateways should use minimum TLSv1.2 | Audit |
| SGS HCC Policy Databases should be encrypted at rest | AuditIfNotExists |
SGS HCC Virtual Machines
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Virtual Machines should use a gateway of some kind rather than being open to public ip | Audit |
| SGS HCC VMs should use a gateway rather than open to public ip | Audit |
SGS HCC Network Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy Network Security Group Should Not Allow Port 22 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 21 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 5432 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 4333 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 3389 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 3306 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 1434 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 1433 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 445 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 139 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 138 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 137 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 135 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 53 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 25 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 23 | Audit |
| SGS HCC Policy Network Security Group Should Not Allow Port 20 | Audit |
SGS HCC Logging Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy NSG flow logs should be enabled | Audit |
| SGS HCC Policy SQL audit logging should be enabled | AuditIfNotExists |
SGS HCC VPN Policy Audit
| Policy | Effect Type |
|---|---|
| SGS HCC Policy VPN should use custom cryptography | Audit |
Launchpad policies
SGS Optum Policy Umbrella
| Policy | Effect Type |
|---|---|
| SGS LP Policy Audit VMs that do not use managed disks | Audit |
| SGS LP Policy Adaptive application controls for defining safe applications should be enabled on your machines | AuditIfNotExists |
| [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution | Disabled |
| SGS LP Policy Require encryption on Data Lake Store accounts | Deny |
| SGS LP Policy Audit Storage Accounts without a Firewall | Audit |
| SGS LP Policy Audit unallowed resources | Audit |
| SGS LP Policy Audit security rules that allow port ranges inbound | Audit |
| SGS LP Policy Audit all non-gateway subnets require an attached NSG | Audit |
| SGS LP Policy Allowed Resource Types All types currently allowed | |
| SGS LP Policy Qualys Vulnerability Assessment Solution on VM | |
| SGS LP Policy RBAC Direct User Access | Audit |
| SGS LP Policy US Region Group Allowed Regions | Restricted to US Regions |
| SGS LP Ensures file encryption for storage accounts | |
| SGS HCC Policy Deploy Azure Defender on Storage Accounts | DeployIfNotExists |
| SGS HCC Policy Prevent Azure Defender on Storage Accounts from being disabled | Deny |