Search for Alerting Rule: Microsoft Azure Tokens
Use the search tokens below that we provide during rule creation wizard.
azure.subscriptionNameazure.subscriptionName
Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.
Example
Show connectors with this subscription name
azure.subscriptionName: Sample Cloud Subscription
azure.subscriptionIdazure.subscriptionId
Use a text value ##### to find Azure connectos based on the unique subscription ID associated with the connector at the time of creation.
Example
Show connectors with this subscription ID
azure.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Select the region code from the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view Azure Region Mapping.
Example
Find resources in the ap-southeast-1 (Singapore) region
cloud.region: ap-southeast-1
Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for Azure Active Directory is AZURE_AD. For the complete mapping of service type code to service type Azure Service Type Mapping.
Example
Show service type Azure Active Directory
service.type: AZURE_AD
cloud.resource.typecloud.resource.type
Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for Network Security Group is NETWORK_SECURITY_GROUP. For the complete mapping of resource type code to resource type, view Azure Resource Type Mapping.
Example
Show resources of type Network Security Group
cloud.resource.type: NETWORK_SECURITY_GROUP
cloud.resource.idcloud.resource.id
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
cloud.resource.id: acl-8e5198f5
Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.
Example
Show controls with this ID
control.id: 205767712438
Use values within quotes to help you find controls with a certain name.
Examples
Show findings with this name
control.name: Avoid the use of the root account
Show any findings that contain parts of name
control.name: "Avoid the use of the root account"
control.criticalitycontrol.criticality
Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.
Example
Show controls with High criticality
control.criticality: HIGH
Select the control result you're interested in: PASS or FAIL.
Examples
Show controls that passed
control.result: PASS
Show controls that failed
control.result: FAIL
cloud.resource.evaluatedDatecloud.resource.evaluatedDate
Use a date range or specific date to define when the resource was evaluated on.
Examples
Show resources discovered within certain dates
cloud.resource.evaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
cloud.resource.evaluatedDate: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
cloud.resource.evaluatedDate: [now-2w ... now-1s]
Show resources discovered on specific date
cloud.resource.evaluatedDate: 2018-01-08
cloud.resource.lastEvaluatedDatecloud.resource.lastEvaluatedDate
Use a date range or specific date to define when the resource was last evaluated on.
Examples
Show resources last evaluated within certain dates
cloud.resource.lastEvaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources last evaluated starting 2018-10-01, ending 1 month ago
cloud.resource.lastEvaluatedDate: [2018-01-01 ... now-1m]
Show resources last evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.lastEvaluatedDate: [now-2w ... now-1s]
Show resources last evaluated on specific date
cloud.resource.lastEvaluatedDate: 2018-01-08
Filter results by the unique identifier (UUID) of a connector.
Example
Show results associated with the connector having UUID 123e4567-e89b-12d3-a456-426614174000
connector.uuid: 123e4567-e89b-12d3-a456-426614174000
cloud.resource.firstEvaluatedDatecloud.resource.firstEvaluatedDate
Use a date range or specific date to define when the resource was first discovered and evaluated.
Examples
Show resources first evaluated within certain dates
cloud.resource.firstEvaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources first evaluated starting 2018-10-01, ending 1 month ago
cloud.resource.firstEvaluatedDate: [2018-01-01 ... now-1m]
Show resources first evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.firstEvaluatedDate: [now-2w ... now-1s]
Show resources first evaluated on specific date
cloud.resource.firstEvaluatedDate: 2018-01-08
Filter results based on the specific evidence key associated with a finding.
Example
Show findings where the evidence key is "encryptionEnabled"
evidence.key: encryptionEnabled
Filter results based on the specific value captured in the evidence associated with a finding.
Example
Show findings where the evidence value is "false"
evidence.value: false
Use a text value ##### to show controls created from QFlow with specified QFlow id.
Examples
Show controls with specific qflow id
qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1
Use values within quotes or back-ticks to find controls created from QFlow with the specified name.
Examples
Show controls that are created from QFlow with a name that partially matches the specified QFlow name.
qflow.name: "Publicly accessible S3 buckets"
Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.
qflow.name: `S3 buckets`
cloud.resource.lastFixedDatecloud.resource.lastFixedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last fixed.
Examples
Show the misconfigured or vulnerable resources last fixed within certain dates
cloud.resource.lastFixedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last fixed starting 2023-01-01, ending 1 month ago
cloud.resource.lastFixedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last fixed starting 2 weeks ago, ending 1 second ago
cloud.resource.lastFixedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last fixed on specific date
cloud.resource.lastFixedDate: 2023-01-08
cloud.resource.lastReopenedDatecloud.resource.lastReopenedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last reopened.
Examples
Show the misconfigured or vulnerable resources last reopened within certain dates
cloud.resource.lastReopenedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last reopened starting 2023-01-01, ending 1 month ago
cloud.resource.lastReopenedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last reopened starting 2 weeks ago, ending 1 second ago
cloud.resource.lastReopenedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last reopened on specific date
cloud.resource.lastReopenedDate: 2023-01-08
connector.tag.nameconnector.tag.name
Search for connectors based on the applied tag name. Select the tag name from the drop-down.
Example
Show connectors tagged with Production
connector.tag.name: Production
Use values within quotes to find a CIS or AWS policy by name.
Examples
Show findings with this name
policy.name: CIS Amazon Web Services Foundations Benchmark
Show any findings that contain parts of name
policy.name: "CIS Amazon Web Services Foundations Benchmark"
Microsoft Azure Region Mapping
|
Code |
Region Name |
|
eastasia |
Hong Kong |
|
southeastasia |
Singapore |
|
centralus |
Iowa |
|
eastus |
Virginia |
|
eastus2 |
Virginia 2 |
|
westus |
California |
|
northcentralus |
Illinois |
|
southcentralus |
Texas |
|
northeurope |
Ireland |
|
westeurope |
Netherlands |
|
japaneast |
Tokyo Saitama |
|
japanwest |
Osaka |
|
brazilsouth |
Sao Paulo State |
|
australiaeast |
New South Wales |
|
australiasoutheast |
Victoria |
|
southindia |
Chennai |
|
centralindia |
Pune |
|
westindia |
Mumbai |
|
canadacentral |
Toronto |
|
canadaeast |
Quebec City |
|
uksouth |
London |
|
ukwest |
Cardiff |
|
westcentralus |
Wyoming |
|
westus2 |
Washington |
|
koreacentral |
Seoul |
|
koreasouth |
Busan |
|
francecentral |
Paris |
|
francesouth |
Marseille |
|
australiacentral |
Canberra |
|
australiacentral2 |
Canberra 2 |
|
uaecentral |
UAE Central |
|
uaenorth |
UAE North |
|
southafricanorth |
Johannesburg |
|
southafricawest |
Cape Town |
|
switzerlandnorth |
Switzerland North |
|
switzerlandwest |
Switzerland West |
|
germanynorth |
Germany North |
|
germanywestcentral |
Germany West Central |
|
norwaywest |
Norway West |
|
norwayeast |
Norway East |
|
usgovvirginia |
US Gov Virginia |
|
usgoviowa |
US Gov Iowa |
|
usgovarizona |
US Gov Arizona |
|
usgovtexas |
US Gov Texas |
|
usdodeast |
US DoD East |
|
usdodcentral |
US DoD Central |
|
chinaeast |
Shanghai |
|
chinanorth |
Beijing |
|
germanycentral |
Frankfurt |
|
germanynortheast |
Magdeburg |
Microsoft Azure Service Type Mapping
|
Code |
Service Type |
|
VIRTUAL_MACHINE |
Virtual Machines |
|
VIRTUAL_NETWORK |
Virtual Networks |
|
RESOURCE_GROUP |
Resource Groups |
|
NETWORK_SECURITY_GROUP |
Network Security Groups |
|
SQL_SERVER_DATABASE |
SQL Server Databases |
|
SQL_SERVER |
SQL Servers |
|
SECURITY_CENTER |
Security Center |
|
STORAGE_ACCOUNT |
Storage Account |
|
MONITOR |
Monitor |
|
KEY_VAULT |
Key Vault |
|
PSQL_SERVER |
PostgreSQL server |
|
LOCKS |
Locks |
|
APP_SERVICE |
App Service |
|
AZURE_AD |
Azure Active Directory |
|
NETWORK_WATCHER |
Network Watcher |
|
MYSQL_SERVER |
MySQL server |
|
ACTIVITY_LOG |
Activity Log |
|
SNAPSHOT |
Snapshot |
|
KUBERNETES_SERVICE |
Kubernetes Service |
|
APPLICATION_GATEWAYS |
Application Gateways |
|
LOAD_BALANCER |
Load Balancer |
|
CONTAINER_REGISTRY |
Container Registry |
|
MARIADB_SERVER |
MariaDB server |
|
AZURE_SQL |
Azure SQL |
|
COSMOS_DB |
Cosmos DB |
|
DISK |
Disk |
Microsoft Azure Resource Mapping
|
Code |
Resource Type |
|
NETWORK_SECURITY_GROUP |
Network Security Group |
|
SQL_SERVER |
SQL Server |
|
SQL_SERVER_DATABASE |
SQL Server Database |
|
VIRTUAL_MACHINE |
Virtual Machine |
|
RESOURCE_GROUP |
Resource Group |
|
VIRTUAL_NETWORK |
Virtual Network |
|
SECURITY_POLICY |
Security Policy |
|
STORAGE_ACCOUNT |
Storage Account |
|
STORAGE_CONTAINER |
Storage Container |
|
ACTIVITY_LOG |
Activity Log |
|
DISK |
Disk |
|
KEY_VAULT |
Key Vault |
|
KEY |
Key |
|
SECRET |
Secret |
|
WEB_APP |
Web App |
|
FUNCTION_APP |
Function App |
|
APP_SERVICE_PLAN |
App Service Plan |
|
APPLICATION_GATEWAYS |
Application Gateways |
|
LOAD_BALANCER |
Load Balancer |
|
CONTAINER_REGISTRY |
Container Registry |
|
MARIADB_SERVER |
MariaDB server |
|
VIRTUAL_NETWORK_SUBNET |
Virtual Network Subnet |
|
VIRTUAL_NETWORK_PEERING |
Virtual Network Peering |
|
NETWORK_SECURITY_GROUP_FLOW_LOG |
NSG Flow Log |
|
COSMOS_DB |
Cosmos DB |