Risk Level: High
Cloud Entity: Security Center - Policy
CloudGuard Rule ID: D9.AZU.MON.74
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

PolicyAssignment where properties.displayName like '%ASC Default%' should not have properties.parametersCollection with [ value contain-any ['Disabled']] and properties.enforcementMode='DoNotEnforce'

REMEDIATION

From Portal

Navigate to Azure Policy.
On Policy 'Overview' blade, Click on 'Policy ASC Default (Subscription:Subscription_ID)'.
On 'ASC Default' blade, Click on Edit Assignments.
In section 'Basics' tab, drag down to Policy Enforcement setting and mark it 'Enabled' if it is set to Disabled
In tab 'Parameters', configure the impacted setting to any other available value than Disabled or empty.
Click Save.

From Command Line
Ensure the output of the below command does not contains any setting which is set to Disabled or Empty

Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01'

Note: policies that have not been modified will not be listed in this output

References

Security Center - Policy

Azure Security Center automatically assigns its built-in security policies on each subscription that is onboarded. You can configure them in Azure Policy, which also enables you to set policies across Management groups and across multiple subscriptions.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset