Search for Alerting Rule: Microsoft Azure Tokens

Use the search tokens below that we provide during rule creation wizard.

subscriptionNamesubscriptionName

Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.

Example

Show connectors with this subscription name

subscriptionName: Sample Cloud Subscription

subscriptionIdsubscriptionId

Use a text value ##### to find Azure connectos based on the unique subscription ID associated with the connector at the time of creation.

Example

Show connectors with this subscription ID

subscriptionId: fbb9ea64-abda-452e-adfa-83442409

regionregion

Select the region code from the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view Azure Region Mapping.

Example

Find resources in the ap-southeast-1 (Singapore) region

region: ap-southeast-1

service.typeservice.type

Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for Azure Active Directory is AZURE_AD. For the complete mapping of service type code to service type Azure Service Type Mapping.

Example

Show service type Azure Active Directory

service.type: AZURE_AD

resource.typeresource.type

Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for Network Security Group is NETWORK_SECURITY_GROUP. For the complete mapping of resource type code to resource type, view Azure Resource Type Mapping.

Example

Show resources of type Network Security Group

resource.type: NETWORK_SECURITY_GROUP

resource.idresource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

resource.id: acl-8e5198f5

cidcid

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

cid: 205767712438

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.resultcontrol.result

Use control result value (FAIL) to view controls with specific result.

Example

Show controls that failed

control.result: FAIL

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

evaluatedOnevaluatedOn

Use a date range or specific date to define when the resource was evaluated on.

Examples

Show resources discovered within certain dates

evaluatedOn: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

evaluatedOn: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

evaluatedOn: [now-2w ... now-1s]

Show resources discovered on specific date

evaluatedOn: 2018-01-08

lastEvaluatedlastEvaluated

Use a date range or specific date to define when the resource was last evaluated on.

Examples

Show resources last evaluated within certain dates

lastEvaluated: [2018-01-01 ... 2018-03-01]

Show resources last evaluated starting 2018-10-01, ending 1 month ago

lastEvaluated: [2018-01-01 ... now-1m]

Show resources last evaluated starting 2 weeks ago, ending 1 second ago

lastEvaluated: [now-2w ... now-1s]

Show resources last evaluated on specific date

lastEvaluated: 2018-01-08

firstEvaluatedfirstEvaluated

Use a date range or specific date to define when the resource was first discovered and evaluated.

Examples

Show resources first evaluated within certain dates

firstEvaluated: [2018-01-01 ... 2018-03-01]

Show resources first evaluated starting 2018-10-01, ending 1 month ago

firstEvaluated: [2018-01-01 ... now-1m]

Show resources first evaluated starting 2 weeks ago, ending 1 second ago

firstEvaluated: [now-2w ... now-1s]

Show resources first evaluated on specific date

firstEvaluated: 2018-01-08

policy.namepolicy.name

Use values within quotes to find a CIS or AWS policy by name.

Examples

Show findings with this name

policy.name: CIS Amazon Web Services Foundations Benchmark

Show any findings that contain parts of name

policy.name: "CIS Amazon Web Services Foundations Benchmark"

Microsoft Azure Region Mapping

Code

Region Name

eastasia

 Hong Kong

southeastasia

 Singapore

centralus

 Iowa

eastus

 Virginia

eastus2

 Virginia 2

westus

 California

northcentralus

 Illinois

southcentralus

 Texas

northeurope

 Ireland

westeurope

 Netherlands

japaneast

 Tokyo Saitama

japanwest

 Osaka

brazilsouth

 Sao Paulo State

australiaeast

 New South Wales

australiasoutheast

 Victoria

southindia

 Chennai

centralindia

 Pune

westindia

 Mumbai

canadacentral

 Toronto

canadaeast

 Quebec City

uksouth

 London

ukwest

 Cardiff

westcentralus

 Wyoming

westus2

 Washington

koreacentral

 Seoul

koreasouth

 Busan

francecentral

 Paris

francesouth

 Marseille

australiacentral

 Canberra

australiacentral2

 Canberra 2

uaecentral

 UAE Central

uaenorth

 UAE North

southafricanorth

 Johannesburg

southafricawest

 Cape Town

switzerlandnorth

 Switzerland North

switzerlandwest

 Switzerland West

germanynorth

 Germany North

germanywestcentral

 Germany West Central

norwaywest

 Norway West

norwayeast

 Norway East

usgovvirginia

 US Gov Virginia

usgoviowa

 US Gov Iowa

usgovarizona

 US Gov Arizona

usgovtexas

 US Gov Texas

usdodeast

 US DoD East

usdodcentral

 US DoD Central

chinaeast

 Shanghai

chinanorth

 Beijing

germanycentral

 Frankfurt

germanynortheast

 Magdeburg

Microsoft Azure Service Type Mapping

Code

Service Type

VIRTUAL_MACHINE

Virtual Machines

VIRTUAL_NETWORK

Virtual Networks

RESOURCE_GROUP

Resource Groups

NETWORK_SECURITY_GROUP

Network Security Groups

SQL_SERVER_DATABASE

SQL Server Databases

SQL_SERVER

SQL Servers

SECURITY_CENTER

Security Center

STORAGE_ACCOUNT

Storage Account

MONITOR

Monitor

KEY_VAULT

Key Vault

PSQL_SERVER

PostgreSQL server

LOCKS

Locks

APP_SERVICE

App Service

AZURE_AD

Azure Active Directory

NETWORK_WATCHER

Network Watcher

MYSQL_SERVER

MySQL server

ACTIVITY_LOG

Activity Log

SNAPSHOT

Snapshot

KUBERNETES_SERVICE

Kubernetes Service

APPLICATION_GATEWAYS

Application Gateways

LOAD_BALANCER

Load Balancer

CONTAINER_REGISTRY

Container Registry

MARIADB_SERVER

MariaDB server

AZURE_SQL

Azure SQL

COSMOS_DB

Cosmos DB

DISK

Disk

Microsoft Azure Resource Mapping

Code

Resource Type

NETWORK_SECURITY_GROUP

Network Security Group

SQL_SERVER

SQL Server

SQL_SERVER_DATABASE

SQL Server Database

VIRTUAL_MACHINE

Virtual Machine

RESOURCE_GROUP

Resource Group

VIRTUAL_NETWORK

Virtual Network

SECURITY_POLICY

Security Policy

STORAGE_ACCOUNT

Storage Account

STORAGE_CONTAINER

Storage Container

ACTIVITY_LOG

Activity Log

DISK

Disk

KEY_VAULT

Key Vault

KEY

Key

SECRET

Secret

WEB_APP

Web App

FUNCTION_APP

Function App

APP_SERVICE_PLAN

App Service Plan

APPLICATION_GATEWAYS

Application Gateways

LOAD_BALANCER

Load Balancer

CONTAINER_REGISTRY

Container Registry

MARIADB_SERVER

MariaDB server

VIRTUAL_NETWORK_SUBNET

Virtual Network Subnet

VIRTUAL_NETWORK_PEERING

Virtual Network Peering

NETWORK_SECURITY_GROUP_FLOW_LOG

NSG Flow Log

COSMOS_DB

Cosmos DB