module/ConfigurationProvider/ControlConfigurations/Services/DataLakeAnalytics.json
|
{
"FeatureName": "DataLakeAnalytics", "Reference": "aka.ms/azsktcp/datalakeanalytics", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataLakeAnalytics_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled for Azure Data Lake Analytics", "Id": "DataLakeAnalytics180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Azure Data Lake Analytics", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "DataLakeAnalytics", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": false, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "Audit", "Requests" ] }, "CustomTags": [] }, { "ControlID": "Azure_DataLakeAnalytics_DP_Encrypt_At_Rest", "Description": "Sensitive data must be encrypted at rest", "Id": "DataLakeAnalytics190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEncryptionAtRest", "DisplayName": "Data Lake Analytics sensitive data must be encrypted at rest", "Category": "Encrypt data at rest", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Default Data Lake Store Account must have encryption enabled. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview#data-protection", "Tags": [ "SDL", "TCP", "Automated", "DP", "DataLakeAnalytics", "Baseline", "Weekly", "ExcludedControl" ], "Enabled": true, "PolicyDefinitionGuid": "DataLakeAnalytics190", "ControlEvaluationDetails": { "RequiredProperties": [ "EncryptionState" ] }, "CustomTags": [] }, { "ControlID": "Azure_DataLakeAnalytics_Audit_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in Data Lake Analytics should be enabled", "Id": "DataLakeAnalytics200", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Resource logs in Data Lake Analytics should be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/data-lake-analytics/data-lake-analytics-diagnostic-logs", "Tags": [ "Automated", "Audit", "Baseline", "DataLakeAnalytics" ], "AssessmentProperties": { "AssessmentNames": [ "c6dad669-efd7-cd72-61c5-289935607791" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |