Azure alerts
Azure resources created by Sophos Cloud Optix can cause alerts for non-compliance with CIS rules.
This table shows the relevant Center for Internet Security (CIS) rules for Azure, which alerts they raise, and why the alerts happen. See CIS Benchmarks - Securing Azure.
You can suppress the alert for a rule. In many cases you can change your Azure configuration to prevent the alert occuring.
To change your configuration, follow the instructions in the relevant Sophos Cloud Optix alert.
CIS rule AZ-2108
Label | Description |
Rule description | Ensure default network access rule for Storage Accounts is set to deny. |
Severity | Low |
Resource type | Storage account |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
Reason for non-compliance | Microsoft's approach means that if functions belong to a consumption plan, you need to turn off your firewall to access storage accounts. |
CIS rule AZ-2904
Label | Description |
Rule description | Scan all Azure storage accounts to check they are accessible from all networks. |
Severity | Low |
Resource type | Storage account |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
Reason for non-compliance | Microsoft's approach means that if functions belong to a consumption plan, you need to turn off your firewall to access storage accounts. |
CIS rule AZ-2267
Label | Description |
Rule description | Ensure that you have encrypted the storage account that has the container with your activity logs with Bring Your Own Key (BYOK). |
Severity | Low |
Resource type | Storage account |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
Reason for non-compliance | You must use your own keys to comply with this rule. |
CIS rule AZ-2252
Label | Description |
Rule description | Ensure that Activity Log Retention is set to 365 days or more. |
Severity | High |
Resource type | Activity log |
Affected Azure resources | /subscriptions/<subscriptionId> |
Reason for non-compliance | Sophos retains logs for one day to avoid extra charges. |
CIS rule AZ-2304
Label | Description |
Rule description | Ensure that Network Security Group Flow Log retention period is more than 90 days. |
Severity | Medium |
Resource type | NSG flow logs |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/
providers/Microsoft.Network/networkSecurityGroups/<networkSecurityGroup> |
Reason for non-compliance | Sophos retains logs for one day to avoid extra charges. |
CIS rule AZ-2101
Label | Description |
Rule description | Ensure that Secure transfer required is set to Enabled. |
Severity | High |
Resource type | Storage account |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |
CIS rule AZ-3208
Label | Description |
Rule description | Ensure the web app has Client Certificates (Incoming client certificates) set to On |
Severity | Medium |
Resource type | Web app |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidActivityLogs<uniqueId> ,
subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidFlowLogs<uniqueId> |
Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |
CIS rule AZ-3029
Label | Description |
Rule description | Ensure that Register with Azure Active Directory is turned on in App Service. |
Severity | Medium |
Resource type | Web app |
Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidActivityLogs<uniqueId> ,
subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidFlowLogs<uniqueId> |
Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |