Azure
Overview
Visualize and analyze Azure resources, including virtual machines, storage accounts, networks, databases, MySQL Flexible Servers, MariaDB servers, Azure Data Explorer (Kusto) clusters, and Purview accounts. Monitor resource visibility, governance, and security posture. Enforce security policies, manage configurations, track resource usage, and ensure compliance with organizational standards. Detect vulnerabilities and optimize performance to enhance the security and efficiency of Azure services.
Setup Guide
This guide walks you through setting up the Azure blueprint using ARM (Azure Resource Manager) templates. The setup involves deploying subscription-level resources, configuring Entra ID permissions, and deploying resource-level components.
Prerequisites
- An Azure subscription where you have Owner or User Access Administrator (or a custom role with permission to create role assignments) at the target subscription scope and any target management group scopes. Elevated access to the root management group/tenant may be required to create management-group/tenant-scope role assignments.
- Access to Microsoft Entra ID (Azure Active Directory) with sufficient directory permissions (for example, Global Administrator or Privileged Role Administrator) to assign the Cloud Application Administrator role to the managed identity.
- Access to the Azure Portal
Step 1: Deploy Subscription-Level Resources
This ARM template creates the foundational infrastructure required for Kscope:
- Resource Group for Kscope resources (default:
kaleidoscope-blueprint-rg) - User-Assigned Managed Identity used by the deployment scripts (default:
kaleidoscope-deployment-identity) - Role Assignments:
- User Access Administrator at subscription scope
- Management Group Reader at tenant scope
- User Access Administrator at management group scope
Deployment Steps:
-
Click the link below to open the ARM template deployment in the Azure Portal:
-
Fill in the deployment parameters:
Parameter Default Value Description Resource Group Name kaleidoscope-blueprint-rgName of the resource group to create (must be unique within the subscription) Resource Group Location eastusAzure region for the resource group User Assigned Identity Name kaleidoscope-deployment-identityName of the managed identity (must be unique within the resource group) Skip Role Assignment falseSee note below [!ATTENTION] Set Skip Role Assignment to:
falsefor first-time deployments — this creates the necessary role assignmentstruefor subsequent deployments — prevents "role assignment already exists" errors when re-running the template
-
Click Review + Create, then Create to deploy.
-
Once deployment completes, navigate to the Outputs tab and save the following values:
resourceGroupName— Resource group for Step 3 deploymentmanagedIdentityName— Required for Step 2 and Step 3managedIdentityPrincipalId— Principal ID to assign Entra ID rolemanagedIdentityResourceId— Resource ID for the second ARM template
Step 2: Assign Cloud Application Administrator Role
The managed identity created in Step 1 needs the Cloud Application Administrator Entra ID role to create app registrations, configure API permissions, and grant admin consent.
[!NOTE] This is an Entra ID directory role, not an Azure RBAC role. It must be assigned in the Entra ID admin center.
Assignment Steps:
-
Open the Entra ID Roles and Administrators page:
-
Search for and click on Cloud Application Administrator in the roles list.
-
Click + Add assignments to open the Add role assignment panel.
-
In the Select members search field, enter the managed identity name from Step 1 output (e.g.,
kaleidoscope-deployment-identity). -
Select the managed identity from the search results and click Select.
-
Click Next, then click Assign to complete the role assignment.
[!ATTENTION] Role assignment propagation can take 15-30 minutes. Wait for propagation to complete before proceeding to Step 3.
Step 3: Deploy Resource-Level Components
This ARM template deploys the application infrastructure and configures Azure AD integration:
Resources Created:
- Storage Account with TLS 1.2 enforcement (default:
k6scopemystorageaccount) - Blob Container for activity logs (default:
kaleidoscopeactivitylogscontainer) - Storage Queue for event processing (default:
kaleidoscopeactivitylogsqueue) - Azure AD App Registration with service principal (default:
kaleidoscope-blueprint)
Automatic Configuration:
- Microsoft Graph API permissions (User.Read.All, Group.Read.All, RoleManagement.Read.All)
- Reader role assignment at subscription scope
- Contributor role assignment at subscription scope (for ARM template deployments)
- Management Group Reader role assignment
- AcrPull role assignment on all existing ACR registries
- Client secret generation
Deployment Steps:
-
Click the link below to open the ARM template deployment:
-
Fill in the deployment parameters:
Parameter Default Value Description Managed Identity Name kaleidoscope-deployment-identityUse the managedIdentityNamevalue from Step 1 outputStorage Account Name example: mystorageacct123456Globally unique storage account name. Choose a lowercase name (3–24 characters, letters and numbers only) that meets Azure Storage naming requirements. Storage Container Name kaleidoscopeactivitylogscontainerBlob container name (unique within storage account) Storage Queue Name kaleidoscopeactivitylogsqueueStorage queue name (unique within storage account) Application Display Name kaleidoscope-blueprintAzure AD app registration name (should be unique within tenant for clarity) -
Select the Resource Group from Step 1 output (
resourceGroupName, e.g.,kaleidoscope-blueprint-rg). -
Click Review + Create, then Create to deploy.
-
Once deployment completes, navigate to the Outputs tab and save the following values for Kscope blueprint configuration:
Output Description clientIdAzure AD Application (Client) ID clientSecretClient secret for authentication tenantIdAzure AD Tenant ID subscriptionIdAzure Subscription ID storageAccountNameStorage account name storageAccountKeyStorage account access key storageQueueNameQueue name for events consentStatusAdmin consent status (see Step 4)
Step 4: Grant Admin Consent (If Required)
Check the consentStatus output from Step 3:
Granted— Admin consent was automatically granted. Skip to configuring your blueprint.PendingManualAction— Manual consent is required. Follow the steps below.
Manual Consent Steps:
-
Navigate to Microsoft Entra ID → App registrations in the Azure Portal.
-
Find and select the app registration created by the ARM template (e.g.,
kaleidoscope-blueprint). -
Click API permissions in the left navigation.
-
Review the configured permissions:
User.Read.All(Application)Group.Read.All(Application)RoleManagement.Read.All(Application)
-
Click Grant admin consent for [Your Tenant] at the top of the permissions list.
-
Confirm by clicking Yes in the dialog.
[!NOTE] Admin consent grants the application permissions to access Microsoft Graph APIs on behalf of the organization. This is required for Active Directory user, group, and role crawling capabilities.
Configurations
After completing the setup steps above, configure your Azure blueprint in Kscope using the values from the ARM template outputs.
| Configuration | Description | ARM Output |
|---|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. | — |
| Azure Client ID | The Application (Client) ID of the Azure AD app registration. | clientId |
| Azure Client Secret | The client secret generated for the Azure AD app registration. | clientSecret |
| Azure Tenant ID | The Azure Active Directory tenant ID. | tenantId |
| Azure Subscription ID | The Azure subscription ID being monitored. | subscriptionId |
| Storage Account Name | Name of the Azure Storage Account for event processing. | storageAccountName |
| Storage Queue Name | Name of the Azure Storage Queue for event notifications. | storageQueueName |
| Storage Account Key | Access key for the Azure Storage Account. | storageAccountKey |
| Data Crawl Frequency | The frequency at which Kscope will crawl the account for resources. | — |
| Resource Selection | Selectively include or exclude certain resources. | — |
Permissions
The ARM templates automatically configure the required permissions for the Azure blueprint. The following roles are assigned during deployment:
Azure RBAC Roles (Automatically Assigned)
| Role | Scope | Purpose |
|---|---|---|
| Reader | Subscription | Read-only access to all Azure resources for comprehensive resource crawling |
| Contributor | Subscription | Required for ARM template deployments and remediation actions |
| Management Group Reader | Tenant (Root Management Group) | Read access to management group hierarchy |
| AcrPull | All existing ACR registries | Pull access for container image crawling and SBOM generation |
Microsoft Graph API Permissions (Automatically Configured)
These permissions are configured on the App Registration's API permissions and enable Active Directory crawling:
| Permission | Type | Purpose |
|---|---|---|
User.Read.All | Application | Read all users in the directory |
Group.Read.All | Application | Read all groups in the directory |
RoleManagement.Read.All | Application | Read role definitions and assignments |
[!NOTE] Admin consent is required for these permissions. The ARM template attempts to grant consent automatically. If
consentStatusshowsPendingManualAction, follow Step 4 in the Setup Guide.
Additional Considerations
Container Registry
The AcrPull role is required for container registry crawling. The ARM template automatically assigns AcrPull to all ACR registries existing at deployment time.
[!NOTE] ACR registries created after deployment will not have AcrPull assigned automatically. For new registries, either re-run the resource ARM template or manually assign the AcrPull role. Subscription-level AcrPull assignment is recommended to cover all registries automatically.
For further documentation on Azure permissions, refer to the: Azure Role-Based Access Control (RBAC) documentation.
SBOM Generation
The Azure blueprint includes SBOM (Software Bill of Materials) generation for container images stored in Azure Container Registry (ACR). This provides comprehensive vulnerability scanning and dependency analysis for containerized applications.
For information about supported languages and package managers for SBOM generation, see: SBOM
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| Storage Account | storage | Storage | An Azure storage account. |
| Azure Storage Account | azure.storage.Account | Account | An Azure storage account. |
| Storage Container | azure.storage.Container | Storage | A container within an Azure storage account. |
| Storage Blob | storage.Blob | Blob | A blob stored within an Azure storage account. |
| Subscription | subscription | Subscription | An Azure subscription. |
| Subscription Details | subscription.Subscription | Subscription | Detailed Azure subscription information. |
| Management Group | managementgroup | ManagementGroup | A management group in Azure. |
| Azure Management Group | azure.managementgroup.ManagementGroup | ManagementGroup | An Azure-specific management group. |
| Resource Group | resourcegroup | ResourceGroup | A resource group in Azure. |
| Azure Resource Group | azure.subscription.ResourceGroup | ResourceGroup | A resource group in an Azure subscription. |
| User | user.User | User | A user in Azure Active Directory. |
| Virtual Network | virtualnetwork | VirtualNetwork | A virtual network in Azure. |
| Azure Virtual Network | azure.network.VirtualNetwork | VirtualNetwork | A virtual network within an Azure subscription. |
| Network Interface | azure.subscription.Interface | Interface | A network interface in Azure. |
| Subnet | azure.network.Subnet | Subnet | A subnet within an Azure virtual network. |
| IP Configuration | azure.subscription.IPConfiguration | IPConfiguration | IP configuration for Azure resources. |
| Security Group | azure.network.SecurityGroup | SecurityGroup | A network security group in Azure. |
| Security Rule | azure.network.SecurityRule | SecurityRule | A security rule within a network security group. |
| Route Table | azure.subscription.RouteTable | RouteTable | A route table in Azure. |
| Function | functions.Function | Function | An Azure function. |
| Postgres Server | postgresserver.PostgresServer | DatabaseServer | A PostgreSQL server in Azure. |
| OS Disk | azure.subscription.OSDisk | Disk | An OS disk for Azure virtual machines. |
| Virtual Machine Scale Set VM Profile | azure.compute.VirtualMachineScaleSetVMProfile | VMProfile | A profile for virtual machine scale sets. |
| Availability Set | azure.compute.AvailabilitySet | AvailabilitySet | An availability set for Azure VMs. |
| Network Profile | azure.subscription.NetworkProfile | NetworkProfile | A network profile in Azure. |
| Storage Profile | azure.subscription.StorageProfile | StorageProfile | A storage profile in Azure. |
| Virtual Machine | azure.compute.VirtualMachine | VirtualMachine | A virtual machine in Azure. |
| SKU | azure.subscription.SKU | SKU | A specific SKU for Azure resources. |
| Linux Configuration | azure.subscription.LinuxConfiguration | Configuration | Linux-specific configurations for VMs. |
| Azure Active Directory Group | azure.activedirectory.Group | Group | A group in Azure Active Directory. |
| Azure Authorization Role Assignment | azure.authorization.RoleAssignment | RoleAssignment | A role assignment in Azure. |
| Billing Account | azure.billing.BillingAccount | BillingAccount | An Azure billing account. |
| Container Registry | azure.containerregistry.Registry | ContainerRegistry | An Azure container registry. |
| Container | azure.containerapps.Container | Container | A container in Azure Container Apps. |
| Container App | azure.containerapps.ContainerApp | ContainerApp | A container application in Azure. |
| Container Registry Network Rule Set | azure.containerregistry.NetworkRuleSet | NetworkRuleSet | A set of network rules for Azure Container Registry. |
| Container Registry IP Rule | azure.containerregistry.IPRule | IPRule | An IP rule for Azure Container Registry. |
| Container Registry Policies | azure.containerregistry.Policies | Policies | Policies for Azure Container Registry. |
| Container Registry Export Policy | azure.containerregistry.ExportPolicy | ExportPolicy | Export policy for Azure Container Registry. |
| Container Registry Retention Policy | azure.containerregistry.RetentionPolicy | RetentionPolicy | Retention policy for Azure Container Registry. |
| Container Registry Soft Delete Policy | azure.containerregistry.SoftDeletePolicy | SoftDeletePolicy | Soft delete policy for Azure Container Registry. |
| Container Registry Trust Policy | azure.containerregistry.TrustPolicy | TrustPolicy | Trust policy for Azure Container Registry. |
| Container Registry System Data | azure.containerregistry.SystemData | SystemData | System data for Azure Container Registry. |
| Container Apps System Data | azure.containerapps.SystemData | SystemData | System data for Azure Container Apps. |
| PostgreSQL Resource Identity | postgresserver.ResourceIdentity | ResourceIdentity | Resource identity for PostgreSQL servers. |
| PostgreSQL Server Private Endpoint Connection | postgresserver.ServerPrivateEndpointConnection | EndpointConnection | Private endpoint connection for PostgreSQL servers. |
| PostgreSQL Storage Profile | postgresserver.StorageProfile | StorageProfile | Storage profile for PostgreSQL servers. |
| Application Gateway Backend Address Pool | azure.subscription.ApplicationGatewayBackendAddressPool | BackendAddressPool | Backend address pool for an application gateway. |
| Application Gateway Backend Address | azure.subscription.ApplicationGatewayBackendAddress | BackendAddress | Backend address for an application gateway. |
| Application Gateway IP Configuration | azure.subscription.ApplicationGatewayIPConfiguration | IPConfiguration | IP configuration for an application gateway. |
| Application Security Group | azure.subscription.ApplicationSecurityGroup | SecurityGroup | Security group for applications. |
| Backend Address Pool | azure.subscription.BackendAddressPool | BackendAddressPool | Backend address pool in Azure subscriptions. |
| Gateway Load Balancer Tunnel Interface | azure.subscription.GatewayLoadBalancerTunnelInterface | TunnelInterface | Tunnel interface for gateway load balancers. |
| Frontend IP Configuration | azure.subscription.FrontendIPConfiguration | IPConfiguration | Frontend IP configuration in Azure subscriptions. |
| Inbound NAT Rule | azure.subscription.InboundNatRule | NatRule | Inbound NAT rule in Azure subscriptions. |
| Interface IP Configuration | azure.subscription.InterfaceIPConfiguration | IPConfiguration | Interface IP configuration in Azure subscriptions. |
| Interface IP Configuration Private Link Connection Props | azure.subscription.InterfaceIPConfigurationPrivateLinkConnectionProperties | PrivateLinkProps | Private link connection properties for interface IP configurations. |
| Interface Tap Configuration | azure.subscription.InterfaceTapConfiguration | TapConfiguration | Tap configuration for interfaces in Azure subscriptions. |
| IP Configuration Profile | azure.subscription.IPConfigurationProfile | IPProfile | IP configuration profile in Azure subscriptions. |
| Load Balancer Backend Address | azure.subscription.LoadBalancerBackendAddress | BackendAddress | Backend address for Azure load balancers. |
| NAT Rule Port Mapping | azure.subscription.NatRulePortMapping | PortMapping | Port mapping for NAT rules in Azure subscriptions. |
| NAT Gateway | azure.subscription.NatGateway | Gateway | NAT gateway in Azure subscriptions. |
| Private Endpoint IP Configuration | azure.subscription.PrivateEndpointIPConfiguration | EndpointConfiguration | Private endpoint IP configuration in Azure subscriptions. |
| Private Endpoint | azure.subscription.PrivateEndpoint | PrivateEndpoint | Private endpoint in Azure subscriptions. |
| Custom DNS Config Properties | azure.subscription.CustomDNSConfigPropertiesFormat | DNSProperties | Custom DNS configuration properties. |
| Private Link Service Connection | azure.subscription.PrivateLinkServiceConnection | LinkConnection | Connection for Azure private link services. |
| Private Link Service Connection State | azure.subscription.PrivateLinkServiceConnectionState | ConnectionState | State of private link service connection. |
| Private Link Service | azure.subscription.PrivateLinkService | PrivateLinkService | Private link service in Azure subscriptions. |
| Public IP Address | azure.network.PublicIPAddress | PublicIPAddress | Public IP address in Azure subscriptions. |
| Public IP Address SKU | azure.network.PublicIPAddressSKU | PublicIPAddressSKU | SKU details for public IP addresses in Azure. |
| Public IP Address DNS Settings | azure.network.PublicIPAddressDNSSettings | DNSSettings | DNS settings for public IP addresses in Azure. |
| DDoS Settings | azure.subscription.DdosSettings | DdosSettings | DDoS settings for Azure resources. |
| IP Tag | azure.subscription.IPTag | IPTag | IP tag for Azure subscriptions. |
| Resource Navigation Link | azure.subscription.ResourceNavigationLink | NavigationLink | Navigation link for Azure resources. |
| Route | azure.subscription.Route | Route | Route configuration for Azure subscriptions. |
| Service Association Link | azure.subscription.ServiceAssociationLink | AssociationLink | Association link for Azure services. |
| Service Endpoint Policy Definition | azure.subscription.ServiceEndpointPolicyDefinition | EndpointPolicyDefinition | Policy definition for Azure service endpoints. |
| Service Endpoint Policy | azure.subscription.ServiceEndpointPolicy | EndpointPolicy | Endpoint policy for Azure services. |
| Service Endpoint Properties Format | azure.subscription.ServiceEndpointPropertiesFormat | EndpointProperties | Properties for Azure service endpoints. |
| Virtual Network Peering | azure.network.VirtualNetworkPeering | NetworkPeering | Virtual network peering in Azure. |
| Virtual Network Tap | azure.network.VirtualNetworkTap | VirtualTap | Virtual tap for Azure virtual networks. |
| SQL Server | azure.sql.SqlServer | SqlServer | An Azure SQL Database server. |
| SQL Database | azure.sql.SqlDatabase | SqlDatabase | A database on an Azure SQL server. |
| SQL Firewall Rule | azure.sql.FirewallRule | FirewallRule | A firewall rule for an Azure SQL server. |
| DNS Zone | azure.dns.DnsZone | DnsZone | An Azure DNS zone. |
| DNS Record Set | azure.dns.DnsRecordSet | DnsRecordSet | A DNS record set in an Azure DNS zone. |
| Redis Cache | azure.redis.RedisCache | RedisCache | An Azure Cache for Redis instance. |
| Redis Firewall Rule | azure.redis.RedisFirewallRule | FirewallRule | A firewall rule for Azure Cache for Redis. |
| Monitor Metric Alert | azure.monitor.MetricAlert | MetricAlert | An Azure Monitor metric alert rule. |
| Monitor Activity Log Alert | azure.monitor.ActivityLogAlert | ActivityLogAlert | An Azure Monitor activity log alert. |
| Monitor Action Group | azure.monitor.ActionGroup | ActionGroup | An Azure Monitor action group. |
| Cosmos DB Account | azure.cosmos.CosmosAccount | CosmosAccount | An Azure Cosmos DB database account. |
| Cosmos DB Database | azure.cosmos.CosmosDatabase | CosmosDatabase | A database within an Azure Cosmos DB account. |
| WAF Policy | azure.waf.WafPolicy | WafPolicy | An Azure WAF policy for Application Gateway. |
| WAF Custom Rule | azure.waf.WafCustomRule | WafCustomRule | A custom rule within an Azure WAF policy. |
| API Management Service | azure.apimanagement.ApimService | ApimService | An Azure API Management service instance. |
| API Management API | azure.apimanagement.ApimAPI | ApimAPI | An API within Azure API Management. |
| CDN Profile | azure.cdn.CdnProfile | CdnProfile | An Azure CDN profile. |
| CDN Endpoint | azure.cdn.CdnEndpoint | CdnEndpoint | An endpoint within an Azure CDN profile. |
| Service Bus Namespace | azure.servicebus.ServiceBusNamespace | ServiceBusNamespace | An Azure Service Bus namespace. |
| Service Bus Queue | azure.servicebus.ServiceBusQueue | ServiceBusQueue | A queue within an Azure Service Bus namespace. |
| Service Bus Topic | azure.servicebus.ServiceBusTopic | ServiceBusTopic | A topic within an Azure Service Bus namespace. |
| Event Grid Topic | azure.eventgrid.EventGridTopic | EventGridTopic | An Azure Event Grid topic. |
| Event Grid Domain | azure.eventgrid.EventGridDomain | EventGridDomain | An Azure Event Grid domain. |
| Event Hub Namespace | azure.eventhub.EventHubNamespace | EventHubNamespace | An Azure Event Hubs namespace. |
| Event Hub | azure.eventhub.EventHub | EventHub | An event hub within an Azure Event Hubs namespace. |
| OpenAI Account | azure.openai.OpenAIAccount | OpenAIAccount | An Azure OpenAI cognitive services account. |
| OpenAI Deployment | azure.openai.OpenAIDeployment | OpenAIDeployment | A model deployment within an Azure OpenAI account. |
| Synapse Workspace | azure.synapse.SynapseWorkspace | SynapseWorkspace | An Azure Synapse Analytics workspace. |
| Synapse SQL Pool | azure.synapse.SynapseSQLPool | SynapseSQLPool | A dedicated SQL pool within a Synapse workspace. |
| Logic App Workflow | azure.logic.LogicWorkflow | LogicWorkflow | An Azure Logic Apps workflow. |
| Data Factory | azure.datafactory.DataFactoryFactory | DataFactoryFactory | An Azure Data Factory instance. |
| Data Factory Pipeline | azure.datafactory.DataFactoryPipeline | DataFactoryPipeline | A pipeline within an Azure Data Factory. |
| AI Search Service | azure.search.SearchService | SearchService | An Azure AI Search service. |
| ARM Deployment | azure.deployments.Deployment | Deployment | An Azure ARM template deployment. |
| ARM Deployment Operation | azure.deployments.DeploymentOperation | DeploymentOperation | An operation within an ARM deployment. |
| MySQL Flexible Server | azure.mysqlserver.MysqlServer | MysqlServer | An Azure Database for MySQL Flexible Server instance. |
| MariaDB Server | azure.mariadb.MariaDBServer | MariaDBServer | An Azure Database for MariaDB server instance. |
| MariaDB Storage Profile | azure.mariadb.StorageProfile | StorageProfile | Storage profile for an Azure MariaDB server. |
| Kusto Cluster | azure.kusto.KustoCluster | KustoCluster | An Azure Data Explorer (Kusto) cluster. |
| Purview Account | azure.purview.PurviewAccount | PurviewAccount | An Azure Purview data governance account. |
IaC Resource Relationships
The blueprint automatically correlates Infrastructure as Code (IaC) resources with the actual cloud resources they manage:
iac.DeployedAs— Links IaC source code resources (ARM and Bicep templates scanned from repositories) to their deployed ARM deployment operations, matching by resource type.iac.ManagesResource— Links ARM deployment operations to the actual Azure cloud resources they provision (Virtual Machines, Key Vaults, Functions, etc.), matching byTargetResourceID.
Security Insights (CSPM)
| Insight | Severity | Description |
|---|---|---|
| SQL Servers With Public Network Access | High | Detects Azure SQL Servers with public network access enabled, exposing database endpoints to the internet. |
| SQL Servers With Low TLS Version | High | Detects Azure SQL Servers allowing TLS versions below 1.2, vulnerable to known protocol attacks. |
| Redis Cache With Non-SSL Port Enabled | High | Detects Azure Cache for Redis instances with non-SSL port enabled, allowing unencrypted connections. |
| Redis Cache With Public Network Access | Medium | Detects Azure Cache for Redis instances with public network access, reachable from the internet. |
| Cosmos DB With Public Network Access | High | Detects Azure Cosmos DB accounts with public network access, exposing database endpoints to the internet. |
| Cosmos DB Without Automatic Failover | Medium | Detects Azure Cosmos DB accounts without automatic failover, requiring manual intervention during regional outages. |
| API Management With Public Network Access | Medium | Detects Azure API Management services with public network access, exposing APIs and management plane. |
| WAF Policies in Detection Mode | High | Detects Azure WAF policies in Detection-only mode that log but do not block malicious requests. |
| Synapse Workspaces With Public Network Access | High | Detects Azure Synapse Analytics workspaces with public network access, exposing analytics data. |
| Data Factory With Public Network Access | Medium | Detects Azure Data Factory instances with public network access, exposing data integration pipelines. |
| Event Grid Topics With Public Network Access | Medium | Detects Azure Event Grid topics with public network access, allowing event publishing from any network. |
| OpenAI Accounts With Public Network Access | High | Detects Azure OpenAI accounts with public network access, exposing AI model endpoints to the internet. |
| AI Search With Public Network Access | Medium | Detects Azure AI Search services with public network access, exposing search indexes to the internet. |
| ARM Deployments With Failed Status | Medium | Detects Azure ARM template deployments with a Failed provisioning state, indicating infrastructure provisioning issues that may leave resources in an inconsistent state. |
| MySQL Flexible Servers With Public Network Access | High | Detects Azure MySQL Flexible Server instances with public network access enabled, exposing the database to the internet. |
| MySQL Flexible Servers With Low Backup Retention | Medium | Detects Azure MySQL Flexible Server instances with backup retention configured for fewer than 7 days, limiting the recovery window. |
| MySQL Flexible Servers Without Geo-Redundant Backup | Medium | Detects Azure MySQL Flexible Server instances without geo-redundant backup enabled, risking data loss during regional outages. |
| MariaDB Servers Without SSL Enforcement | High | Detects Azure Database for MariaDB server instances without SSL enforcement enabled, allowing unencrypted connections. |
| MariaDB Servers With Low Backup Retention | Medium | Detects Azure Database for MariaDB server instances with backup retention configured for fewer than 7 days, limiting the recovery window. |
| Kusto Clusters Without Disk Encryption | Medium | Detects Azure Data Explorer (Kusto) clusters with disk encryption disabled, leaving data at rest unprotected. |
| Kusto Clusters Without Customer-Managed Key Encryption | Medium | Detects Azure Data Explorer (Kusto) clusters without customer-managed key (CMK) encryption configured, limiting control over encryption key lifecycle. |
| Purview Accounts With Public Network Access | High | Detects Azure Purview accounts with public network access enabled, exposing the data governance endpoint to the internet. |
Events
| Event | Description |
|---|---|
| MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTACCOUNTSAS/ACTION | Retrieves a shared access signature (SAS) token for accessing resources in an Azure Storage account. |
| Sign-in Activity | Logs and retrieves information about user sign-ins for monitoring and auditing purposes. |
| MICROSOFT.CONTAINERREGISTRY/REGISTRIES/LISTCREDENTIALS/ACTION | Retrieves credentials for accessing an Azure Container Registry. |