Azure alerts
Azure resources created by Sophos Cloud Optix can cause alerts for non-compliance with CIS rules.
This table shows the relevant Center for Internet Security (CIS) rules for Azure, which alerts they raise, and why the alerts happen. See CIS Benchmarks - Securing Azure.
You can suppress the alert for a rule. In many cases you can change your Azure configuration to prevent the alert occuring.
To change your configuration, follow the instructions in the relevant Sophos Cloud Optix alert.
CIS rule AZ-2108
| Label | Description |
| Rule description | Ensure default network access rule for Storage Accounts is set to deny. |
| Severity | Low |
| Resource type | Storage account |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
| Reason for non-compliance | Microsoft's approach means that if functions belong to a consumption plan, you need to turn off your firewall to access storage accounts. |
CIS rule AZ-2904
| Label | Description |
| Rule description | Scan all Azure storage accounts to check they are accessible from all networks. |
| Severity | Low |
| Resource type | Storage account |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
| Reason for non-compliance | Microsoft's approach means that if functions belong to a consumption plan, you need to turn off your firewall to access storage accounts. |
CIS rule AZ-2267
| Label | Description |
| Rule description | Ensure that you have encrypted the storage account that has the container with your activity logs with Bring Your Own Key (BYOK). |
| Severity | Low |
| Resource type | Storage account |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
| Reason for non-compliance | You must use your own keys to comply with this rule. |
CIS rule AZ-2252
| Label | Description |
| Rule description | Ensure that Activity Log Retention is set to 365 days or more. |
| Severity | High |
| Resource type | Activity log |
| Affected Azure resources | /subscriptions/<subscriptionId> |
| Reason for non-compliance | Sophos retains logs for one day to avoid extra charges. |
CIS rule AZ-2304
| Label | Description |
| Rule description | Ensure that Network Security Group Flow Log retention period is more than 90 days. |
| Severity | Medium |
| Resource type | NSG flow logs |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/
providers/Microsoft.Network/networkSecurityGroups/<networkSecurityGroup> |
| Reason for non-compliance | Sophos retains logs for one day to avoid extra charges. |
CIS rule AZ-2101
| Label | Description |
| Rule description | Ensure that Secure transfer required is set to Enabled. |
| Severity | High |
| Resource type | Storage account |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/avidflowlogsgroup/
providers/Microsoft.Storage/storageAccounts/avidact<uniqueId> |
| Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |
CIS rule AZ-3208
| Label | Description |
| Rule description | Ensure the web app has Client Certificates (Incoming client certificates) set to On |
| Severity | Medium |
| Resource type | Web app |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidActivityLogs<uniqueId>,
subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidFlowLogs<uniqueId> |
| Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |
CIS rule AZ-3029
| Label | Description |
| Rule description | Ensure that Register with Azure Active Directory is turned on in App Service. |
| Severity | Medium |
| Resource type | Web app |
| Affected Azure resources | subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidActivityLogs<uniqueId>,
subscriptions/<subscriptionId>/resourceGroups/ avidflowlogsgroup/providers/Microsoft.Web/ sites/AvidFlowLogs<uniqueId> |
| Reason for non-compliance | This is a legacy error which has been fixed. Adding the environment to Sophos Cloud Optix again resolves the alert. |