Creating Policy Alerts for Azure

Create custom policies to generate alerts for actions on resources that are specific to your Azure environment.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

Creating an Azure Policy

Follow these general steps for any policy you create to generate an alert for actions in Azure.

The following are general steps for creating an Azure policy. Once created, when the policy conditions are met, Oracle CASB Cloud Service displays an alert in Risk Events and optionally can send the alert through email.

1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
2. Click New Policy.
3. In the Name page:

   1. Enter a name for the policy.

   2. (Optional) Enter a description.

   3. Select a Priority.

   4. If you want policy violations to be included in user risk score computations, select Include in user risk score.

   5. Click Next.

4. On the Resource page, make these selections.

   Field	Value(s)
   Application type	Select Azure.
   Application instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

5. To complete the selections on the Resource page, follow a link below to locate the topic for the particular resource type on which you want to trigger this alert.

   • Creating Alerts for Virtual Networks

   • Creating Alerts for Virtual Machines

   • Creating Alerts for Storage Account Disks

   • Creating Alerts for Storage Accounts

   • Creating Alerts for Storage

   • Creating Alerts for Key Vault

   • Creating Alerts for Disks

   • Creating Alerts for Classic Virtual Networks

   • Creating Alerts for Classic Virtual Machines

   • Creating Alerts for Classic Storage Accounts

   • Creating Alerts for Azure Users

   When you finish making the rest of the selections on the Resource page, follow the link at the end of that topic to return to this page and continue with the next step below.

6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set on the Resource page.
   1. In the drop-down list, select Username contains or Username does not contain.
   2. In the text box to the right, enter one or more text strings that the user name must contain, or not contain, in order to trigger the alert.

      Separate multiple entries with commas. With multiple entries, if any one entry is contained, or not contained, in the name of the user who took the action, the alert is triggered.

   3. Click Next to go on to the next page.
7. (Optional) On the Conditions page, set conditions so that an alert is triggered only if the specified conditions are met.

   For information on condition parameters available for use in policy alerts for Azure, see Condition Parameters for Azure Alerts. For information on free-form conditions, see Examples of Parameters in Free-Form Conditions.

   1. Click Add condition or Add Free-From Condition.
   2. Select a Parameter, an Operator, and a Value from the drop-down lists.

      In free-form conditions, you enter values for Parameter and Value.

   3. To add another condition or free-form condition, repeat the 3 steps above.

      Note:

      When you specify multiple conditions, the conditions are ANDed. The alert is triggered only if all of the conditions are met. If you need to OR multiple conditions, create a separate policy for each condition.
   4. Click Next to go on to the next page.
8. On the Action page, set your  notifications:

   • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

   • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

9. When you are done, click Next, review your settings, then click Submit.

Condition Parameters for Azure Alerts

Review the parameters and operators that are available in the Conditions page of the policy creation wizard for Azure.

These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for Azure.

Note:

The exact list of parameters that you see on the Conditions page depends on the resource details that you specify on the Resource page. Not all parameters are available with all resources.

Parameter	Operator	Value
IP address v4	Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to).	A comma-separated list of IPv4 addresses.
Device	Include or exclude the selected device type.	Select Desktop, Mobile, API Call, or Other.
Timestamp	The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame). Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT).	A value as a time in 24-hour HH:MM:SS format.
CASB threat intelligence IP reputation	Equal to is the only option.	To flag events from IP addresses with bad or good reputations, select: Suspicious for bad reputations. Regular for good reputations.
City, State, or Country	Equal to requires matching the name you enter in Value. Not Equal to requires not matching the name you enter in Value. In requires matching any one of several names you enter in Value. Not in requires matching none of several names you enter in Value.	The name of the city, or the state or province, in the physical address that’s associated with the IP address.

Creating Alerts for Virtual Networks

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Virtual Networks.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Virtual Networks
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The virtual network has been deleted.
   Delete virtual network subnet	A subnet for the virtual network has been deleted.
   Delete virtual network peering	Peering for the virtual network has been deleted.
   Join	The virtual network has been joined.
   Join subnet via service tunnel	A subnet for the virtual network has been joined through a service tunnel.
   Peer	The virtual network has been peered.
   Write	The virtual network has been written to.
   Write virtual network peering	Peering for the virtual network has been written to.
   Write virtual network subnet	A subnet for the virtual network has been written to.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Virtual Machines

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Virtual Machines.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Virtual Machines
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Capture	The virtual machine has been captured.
   Convert to managed disks	The virtual machine has been converted to managed disks.
   Deallocate	The virtual machine has been deallocated.
   Delete	The virtual machine has been deleted.
   Delete extensions	One or more extensions for the virtual machine have been deleted.
   Power off	The virtual machine was powered off.
   Redeploy	The virtual machine has been redeployed.
   Restart	The virtual machine has been restarted.
   Start	The virtual machine has been started.
   Write	The virtual machine has been written to.
   Write extensions	One or more extensions for the virtual machine have been written to.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Storage Account Disks

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage Account Disks.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Storage Account Disks
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The storage account disk has been deleted.
   Write	The storage account disk has been written to.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Storage Accounts

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage Account.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Storage Account
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete storage	The storage account has been deleted.
   List keys	Keys have been listed for the storage account.
   List SAS accounts	SAS accounts for the storage account have been listed.
   List Service SAS	The service SAS for the storage account has been listed.
   Regenerate key	A key has been regenerated for the storage account.
   Register	The storage account has been registered.
   Write diagnostic settings	Diagnostic settings have been written for the storage account.
   Write storage	Storage has been written for the storage account.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Storage

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Storage
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete virtual network or subnets	One or more virtual networks or subnets for storage have been deleted.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Key Vault

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Key Vault.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Key Vault
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The key vault has been deleted.
   Read secrets	One or more secrets from the key vault have been read.
   Regenerate key	A key from the key vault has been regenerated.
   Write	The key vault has been written to.
   Write access policy	An access policy from the key vault has been written to.
   Write secrets	One or more secrets from the key vault has been written to.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Disks

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Disks.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Disks
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The disk has been deleted.
   Get SAS URI	An SAS URI for the disk has been obtained.
   Revoke SAS URI	An SAS URI for the disk has been revoked.
   Write	The disk has been written to.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Classic Virtual Networks

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Storage Accounts.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Classic Storage Accounts
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The classic virtual network has been deleted.
   Join	The classic virtual network has been joined.
   Peer	The classic virtual network has been peered.
   Write	The classic virtual network has been written.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Classic Virtual Machines

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Virtual Machines.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Classic Virtual Machines
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Attach disk	A disk has been attached to the classic virtual machine.
   Associate NSG to a network interface	A network security group for the classic virtual machine has been associated to a network interface.
   Delete	The classic virtual machine has been deleted.
   Delete network security group	A network security group for the classic virtual machine has been deleted.
   Delete NSG from network interface	A network security group for the classic virtual machine has been deleted from a network interface.
   Detach disk	A disk has been detached from the classic virtual machine.
   Download RemoteDesktopConnectionFile	A remote desktop connection file for the classic virtual machine has been downloaded.
   Redeploy	The classic virtual machine has been redeployed.
   Restart	The classic virtual machine has been restarted.
   Start	The classic virtual machine has been started.
   Write extensions	One or more extensions for the classic virtual machine have been written.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Classic Storage Accounts

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Storage Accounts.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Classic Storage Accounts
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Delete	The classic storage account has been deleted.
   List keys	Keys have been listed for the classic storage account.
   Regenerate key	Keys have been regenerated for the classic storage account.
   Register	The classic storage account has been registered.
   Write storage	Storage has been written for the classic storage account.
   Write diagnostic settings	Diagnostic settings have been written for the classic storage account.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Azure Users

Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Azure AD User.

Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

1. Specify Resource details, using the information in the table below:

   Field	Value
   Resource	Azure AD User
   Resource name	You must provide a name for the selected resource type. If you select: Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name. Regular expression, enter .* to match all email retention rules.

2. Specify an Action on the resource using the table below:

   Action on this Resource	Description
   Any	Any action taken on this resource, as identified in the Criteria field of the Resource page.
   Failed login	The Azure AD User has attempted to log in and failed.
   Login	The Azure AD User has successfully logged in.

3. (Optional) Add more Resource name-Action pairs to refine your policy.

   You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

   • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

   • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

4. Click Next when you have finished specifying resource name-action pairs.

   You are now on the Username page.

5. Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.