Policy types for @turbot/azure-activedirectory
- Azure > Active Directory > Application > CMDB
- Azure > Active Directory > Client Secret > Active
- Azure > Active Directory > Client Secret > Active > Age
- Azure > Active Directory > Client Secret > Approved
- Azure > Active Directory > Client Secret > Approved > Custom
- Azure > Active Directory > Client Secret > Approved > Usage
- Azure > Active Directory > Client Secret > CMDB
- Azure > Active Directory > Custom Domain > Approved
- Azure > Active Directory > Custom Domain > Approved > Usage
- Azure > Active Directory > Custom Domain > CMDB
- Azure > Active Directory > Directory > CMDB
- Azure > Active Directory > Group > CMDB
- Azure > Active Directory > Service Principal > CMDB
- Azure > Active Directory > User > Approved
- Azure > Active Directory > User > Approved > Usage
- Azure > Active Directory > User > Approved > User Types
- Azure > Active Directory > User > CMDB
- Azure > Turbot > Directory Event Poller
- Azure > Turbot > Directory Event Poller > Interval
- Azure > Turbot > Directory Event Poller > Window
Azure > Active Directory > Application > CMDB
Configure whether to record and synchronize details for the Azure active directory application into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > Client Secret > Active
The control determines whether the resource is in active use. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Active Directory > Client Secret > Active > *
) and raises an alarm. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
See Active for more information.
[ "Skip", "Check: Active"]
{ "type": "string", "enum": [ "Skip", "Check: Active" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > Active Directory > Client Secret > Active > Age
The age after which the Azure Active Directory client secret is no longer considered active. If a create time is unavailable, the time Turbot discovered the resource is used.
The Active control determines whether the resource is in active use. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active control brings automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Active Directory > Client Secret > Active > *
) and
raises an alarm. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
See Active for more information.
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > Active Directory > Client Secret > Approved
Determine the action to take when an Azure Active Directory client secret is not approved based on Azure > Active Directory > Client Secret > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.
See Approved for more information.
[ "Skip", "Check: Approved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Active Directory > Client Secret > Approved > Custom
Determine whether the Azure Active Directory client secret is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory client secret is not approved, it will be subject to the action specified in the Azure > Active Directory > Client Secret > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > Active Directory > Client Secret > Approved > Usage
Determine whether the Azure Active Directory client secret is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory client secret is not approved, it will be subject to the action specified in the Azure > Active Directory > Client Secret > Approved
policy.
See Approved for more information.
[ "Not approved", "Approved"]
{ "type": "string", "enum": [ "Not approved", "Approved" ], "example": [ "Not approved" ], "default": "Approved"}
Azure > Active Directory > Client Secret > CMDB
Configure whether to record and synchronize details for the Azure Active Directory client secret into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > Custom Domain > Approved
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm.
See Approved for more information.
[ "Skip", "Check: Approved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Active Directory > Custom Domain > Approved > Usage
Determine whether the Azure Active Directory custom domain is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory custom domain is not approved, it will be subject to the action specified in the Azure > Active Directory > Custom Domain > Approved
policy.
See Approved for more information.
[ "Not approved", "Approved"]
{ "type": "string", "enum": [ "Not approved", "Approved" ], "example": [ "Not approved" ], "default": "Approved"}
Azure > Active Directory > Custom Domain > CMDB
Configure whether to record and synchronize details for the Azure Active Directory custom domain into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > Directory > CMDB
Configure whether to record and synchronize details for Azure AD into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB.
Note that if CMDB is set to Skip for a resource, then it will not be added to the CMDB, and no controls that target it will run.
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > Group > CMDB
Configure whether to record and synchronize details for the Azure active directory group into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > Service Principal > CMDB
Configure whether to record and synchronize details for the Azure Active Directory service principal into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Active Directory > User > Approved
Determine the action to take when an Azure active directory user is not approved based on Azure > Active Directory > User > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
See Approved for more information.
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Active Directory > User > Approved > Usage
Determine whether the Azure Active Directory user is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Active Directory user is not approved, it will be subject to the action specified in the Azure > Active Directory > User > Approved
policy.
See Approved for more information.
[ "Not approved", "Approved"]
{ "type": "string", "enum": [ "Not approved", "Approved" ], "example": [ "Not approved" ], "default": "Approved"}
Azure > Active Directory > User > Approved > User Types
Determine whether the Azure Active Directory user type is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure active directory user is not approved, it will be subject to the action specified in the Azure > Active Directory > User > Approved
policy.
See Approved for more information.
{ "type": "array", "items": { "type": "string", "enum": [ "Guest", "Member" ] }, "default": [ "Guest", "Member" ]}
Azure > Active Directory > User > CMDB
Configure whether to record and synchronize details for the Azure active directory user into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Turbot CMDB. All policies and controls in Turbot are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
[ "Skip", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled"}
Azure > Turbot > Directory Event Poller
Configure the Azure Directory Event Poller. When set to Enabled
, the poller will
run at the interval specified to retrieve the latest events and forward
them to the Turbot Router.
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
Azure > Turbot > Directory Event Poller > Interval
The polling interval. This policy determines how often the event poller will run.
[ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes"]
{ "type": "string", "enum": [ "Every 1 minute", "Every 2 minutes", "Every 3 minutes", "Every 4 minutes", "Every 5 minutes", "Every 6 minutes", "Every 7 minutes", "Every 8 minutes", "Every 9 minutes", "Every 10 minutes" ], "default": "Every 2 minutes"}
Azure > Turbot > Directory Event Poller > Window
The polling window, in minutes. This policies determines the oldest events the event poller will retrieve. For example, setting the window to '5 minutes' will cause the poller to retrieve all events from the previous 5 minutes every time it runs.
The Window must be greater than the Interval, and it is recommended to be at least twice the Interval. For example, if the Interval is 'Every 5 Minutes', the Window should be at least '10 Minutes'.
[ "5 minutes", "6 minutes", "7 minutes", "8 minutes", "9 minutes", "10 minutes", "11 minutes", "12 minutes", "13 minutes", "14 minutes", "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "30 minutes", "40 minutes"]
{ "type": "string", "enum": [ "5 minutes", "6 minutes", "7 minutes", "8 minutes", "9 minutes", "10 minutes", "11 minutes", "12 minutes", "13 minutes", "14 minutes", "15 minutes", "16 minutes", "17 minutes", "18 minutes", "19 minutes", "20 minutes", "30 minutes", "40 minutes" ], "default": "10 minutes"}