Creating Policy Alerts for Azure
Create custom policies to generate alerts for actions on resources that are specific to your Azure environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.
Creating an Azure Policy
Follow these general steps for any policy you create to generate an alert for actions in Azure.
The following are general steps for creating an Azure policy. Once created, when the policy conditions are met, Oracle CASB Cloud Service displays an alert in Risk Events and optionally can send the alert through email.
Condition Parameters for Azure Alerts
Review the parameters and operators that are available in the Conditions page of the policy creation wizard for Azure.
These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for Azure.
Note:
The exact list of parameters that you see on the Conditions page depends on the resource details that you specify on the Resource page. Not all parameters are available with all resources.
Parameter | Operator | Value |
---|---|---|
IP address v4 |
Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to). |
A comma-separated list of IPv4 addresses. |
Device |
Include or exclude the selected device type. |
Select Desktop, Mobile, API Call, or Other. |
Timestamp |
The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame). Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT). |
A value as a time in 24-hour HH:MM:SS format. |
CASB threat intelligence IP reputation |
Equal to is the only option. |
To flag events from IP addresses with bad or good reputations, select:
|
City, State, or Country |
|
The name of the city, or the state or province, in the physical address that’s associated with the IP address. |
Creating Alerts for Virtual Networks
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Virtual Networks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Virtual Networks
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The virtual network has been deleted.
Delete virtual network subnet
A subnet for the virtual network has been deleted.
Delete virtual network peering
Peering for the virtual network has been deleted.
Join
The virtual network has been joined.
Join subnet via service tunnel
A subnet for the virtual network has been joined through a service tunnel.
Peer
The virtual network has been peered.
Write
The virtual network has been written to.
Write virtual network peering
Peering for the virtual network has been written to.
Write virtual network subnet
A subnet for the virtual network has been written to.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Virtual Machines
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Virtual Machines.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Virtual Machines
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Capture
The virtual machine has been captured.
Convert to managed disks
The virtual machine has been converted to managed disks.
Deallocate
The virtual machine has been deallocated.
Delete
The virtual machine has been deleted.
Delete extensions
One or more extensions for the virtual machine have been deleted.
Power off
The virtual machine was powered off.
Redeploy
The virtual machine has been redeployed.
Restart
The virtual machine has been restarted.
Start
The virtual machine has been started.
Write
The virtual machine has been written to.
Write extensions
One or more extensions for the virtual machine have been written to.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Storage Account Disks
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage Account Disks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Storage Account Disks
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The storage account disk has been deleted.
Write
The storage account disk has been written to.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Storage Accounts
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage Account.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Storage Account
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete storage
The storage account has been deleted.
List keys
Keys have been listed for the storage account.
List SAS accounts
SAS accounts for the storage account have been listed.
List Service SAS
The service SAS for the storage account has been listed.
Regenerate key
A key has been regenerated for the storage account.
Register
The storage account has been registered.
Write diagnostic settings
Diagnostic settings have been written for the storage account.
Write storage
Storage has been written for the storage account.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Storage
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Storage.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Storage
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete virtual network or subnets
One or more virtual networks or subnets for storage have been deleted.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Key Vault
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Key Vault.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Key Vault
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The key vault has been deleted.
Read secrets
One or more secrets from the key vault have been read.
Regenerate key
A key from the key vault has been regenerated.
Write
The key vault has been written to.
Write access policy
An access policy from the key vault has been written to.
Write secrets
One or more secrets from the key vault has been written to.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Disks
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Disks.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Disks
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The disk has been deleted.
Get SAS URI
An SAS URI for the disk has been obtained.
Revoke SAS URI
An SAS URI for the disk has been revoked.
Write
The disk has been written to.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Classic Virtual Networks
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Storage Accounts.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Classic Storage Accounts
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The classic virtual network has been deleted.
Join
The classic virtual network has been joined.
Peer
The classic virtual network has been peered.
Write
The classic virtual network has been written.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Classic Virtual Machines
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Virtual Machines.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Classic Virtual Machines
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Attach disk
A disk has been attached to the classic virtual machine.
Associate NSG to a network interface
A network security group for the classic virtual machine has been associated to a network interface.
Delete
The classic virtual machine has been deleted.
Delete network security group
A network security group for the classic virtual machine has been deleted.
Delete NSG from network interface
A network security group for the classic virtual machine has been deleted from a network interface.
Detach disk
A disk has been detached from the classic virtual machine.
Download RemoteDesktopConnectionFile
A remote desktop connection file for the classic virtual machine has been downloaded.
Redeploy
The classic virtual machine has been redeployed.
Restart
The classic virtual machine has been restarted.
Start
The classic virtual machine has been started.
Write extensions
One or more extensions for the classic virtual machine have been written.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Classic Storage Accounts
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Classic Storage Accounts.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Classic Storage Accounts
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Delete
The classic storage account has been deleted.
List keys
Keys have been listed for the classic storage account.
Regenerate key
Keys have been regenerated for the classic storage account.
Register
The classic storage account has been registered.
Write storage
Storage has been written for the classic storage account.
Write diagnostic settings
Diagnostic settings have been written for the classic storage account.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.
Creating Alerts for Azure Users
Review the actions that are available in the Resources page of the policy creation wizard when the Resource is Azure AD User.
Prerequisite: You must start creating your new policy in Creating an Azure Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.
Specifying Resources and Actions to Trigger the Alert
-
Specify Resource details, using the information in the table below:
Field Value Resource
Azure AD User
Resource name
You must provide a name for the selected resource type. If you select:- Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
- Regular expression, enter .* to match all email retention rules.
-
Specify an Action on the resource using the table below:
Action on this Resource Description Any
Any action taken on this resource, as identified in the Criteria field of the Resource page.
Failed login
The Azure AD User has attempted to log in and failed.
Login
The Azure AD User has successfully logged in.
-
(Optional) Add more Resource name-Action pairs to refine your policy.
You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.
- Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.
-
Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.
-
Click Next when you have finished specifying resource name-action pairs.
You are now on the Username page.
-
Return to Creating an Azure Policy and finish the steps to complete your policy alert, resuming at step 6.