AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/BatchAccounts.json

                                {

  "FeatureName": "BatchAccounts",

  "Reference": "",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_BatchAccounts_Audit_Enable_Resource_Logs_MCSB",

      "Description": "[MCSB] Resource logs in Batch accounts must be enabled",

      "Id": "BatchAccounts100",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "MDC",

      "DisplayName": "[MCSB] Resource logs in Batch accounts must be enabled",

      "Category": "Monitoring must be correctly configured",

      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",

      "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.",

      "Recommendation": "To enable resource logs in BatchAccounts please refer: https://learn.microsoft.com/en-us/azure/batch/batch-diagnostics#enable-collection-of-batch-diagnostic-logs",

      "Tags": [

        "SDL",

        "Automated",

        "Baseline",

        "Audit",

        "BatchAccounts"

      ],

      "AssessmentProperties": {

        "AssessmentNames": [

          "32771b45-220c-1a8b-584e-fdd5a2584a66"

        ],

        "AssessmentStatusMappings": [

          {

            "AssessmentStatusCode": "NotApplicable",

            "EffectiveVerificationResult": "Failed",

            "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*",

            "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed."

          }

        ]

      },

      "Enabled": false,

      "CustomTags": [

        "Daily",

        "MCSB"

      ]

    },

    {

      "ControlID": "Azure_BatchAccounts_Audit_Enable_Diagnostic_Settings",

      "Description": "Enable Security Logging in Azure Batch Accounts",

      "Id": "BatchAccounts110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckDiagnosticsSettings",

      "DisplayName": "Enable Security Logging in Azure Batch Accounts",

      "Category": "Monitoring must be correctly configured",

      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",

      "Rationale": "Diagnostic logs must be enabled as they provide details for investigation in case of a security breach for threats.",

      "Recommendation": "To Configure 'Diagnostic settings' for Batch Account, go to Azure Portal --> Your Batch Account --> Diagnostic settings --> Enable Service Logs, Audit Logs with a minimum retention period of 90 days.",

      "Tags": [

        "Automated",

        "Audit",

        "Diagnostics",

        "BatchAccounts",

        "Baseline"

      ],

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "DiagnosticSettings"

        ]

      },

      "Enabled": true,

      "ControlSettings": {

        "DiagnosticForeverRetentionValue": "0",

        "DiagnosticMinRetentionPeriod": "90",

        "DiagnosticLogs": [

          "ServiceLogs",

          "ServiceLog",

          "AuditLog"

        ]

      },

      "CustomTags": [

        "Daily",

        "TenantBaseline",

        "MSD",

        "TBv12",

        "SN:BatchAccounts_Logging"

      ]

    }

  ]

}