Feedback: Some ASC policies do not work

%3CLINGO-SUB%20id%3D%22lingo-sub-334089%22%20slang%3D%22en-US%22%3EFeedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334089%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EI%20want%20to%20flag%20this%20specific%20issues%20that%20I%20have%20encountered%20but%20I%20was%20not%20sure%20if%20this%20was%20very%20good%20for%20user%20voice.%20In%20ASC%20we%20have%20both%20recommendations%20and%20Security%20policies%20in%20Azure%20Policy.%20We%20can%20see%20that%20some%20of%20the%20recommendations%20are%20also%20available%20as%20policies.%20I%20do%20not%20know%20if%20the%20idea%20is%20that%20policies%20to%20replace%20recommendations%20or%20to%20compliment%20them%20but%20I've%20noticed%20this%20strange%20behavior.%20In%20ASC%20I%20have%20this%20recommendation%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20780px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72593iFE2BE442307827A2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3Ebut%20when%20I%20go%20to%20Azure%20Policy%20the%20policy%20that%20is%20the%20same%20for%20the%20recommendation%20I%20get%20compliant.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72594iCA067459BC0704C7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EI%20think%20this%20issue%20is%20probably%20caused%20by%20the%20API%20the%20policy%20uses%3A%3C%2FP%3E%0A%3CPRE%3E%22then%22%3A%20%7B%0A%20%20%20%20%22effect%22%3A%20%22%5Bparameters('effect')%5D%22%2C%0A%20%20%20%20%22details%22%3A%20%7B%0A%20%20%20%20%20%20%22type%22%3A%20%22Microsoft.Security%2FcomplianceResults%22%2C%0A%20%20%20%20%20%20%22name%22%3A%20%22EnforceHttps%22%2C%0A%20%20%20%20%20%20%22existenceCondition%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Security%2FcomplianceResults%2FresourceStatus%22%2C%0A%20%20%20%20%20%20%20%20%22in%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%22Monitored%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22NotApplicable%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22OffByPolicy%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Healthy%22%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%3C%2FPRE%3E%0A%3CP%3EI%20am%20not%20sure%20what%20are%20not%20the%20acceptable%20values%20for%20this%20API%20but%20the%20resource%20in%20question%20is%20shown%20as%20Monitored%20by%20this%20API.%20There%20are%20a%20lot%20of%20policies%20build%20that%20way%20so%20may%20be%20if%20the%20API%20does%20not%20work%20for%20one%20recommendation%20does%20not%20work%20for%20all%20so%20all%20these%20policies%20might%20give%20wrong%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394702%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394702%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9172%22%20target%3D%22_blank%22%3E%40Stanislav%20Zhelyazkov%3C%2FA%3E%26nbsp%3B%20it%20should%20show%20the%20correct%20result%20however%20there%20might%20be%20data%20freshness%20issues.%20is%20the%20resource%20live%20more%20than%2012%20hours%3F%20Also%2C%20we'd%20like%20to%20take%20a%20closer%20look%20and%20make%20sure%2C%20can%20you%20send%20me%20the%20resource%20name%20and%20subscription%20ID%20to%20metaran%40microsoft.com%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394566%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394566%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73750%22%20target%3D%22_blank%22%3E%40Meital%20Taran-%20Gutman%3C%2FA%3E%20This%20policy%20still%20does%20not%20work%20and%20I%20never%20got%20reply%20on%20why%20is%20this.%20Are%20you%20looking%20into%20this%20problem%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369249%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Meital%2C%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20change%20in%20the%20behavior%20example%20I%20have%20posted.%20Still%20ASC%20shows%20the%20https%20recommendation%20for%20function%20app%2C%20ASC%20policy%20marks%20that%20as%20compliant.%20ASC%20recommendation%20is%20correct%20as%20my%20function%20is%20enabled%20for%20both%20https%20and%20http.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359570%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359570%22%20slang%3D%22en-US%22%3E%3CP%3Ein%20the%20last%20few%20months%2C%20ASC%20moved%20to%20Azure%20Policy%20as%20the%20main%20platform%20for%20running%20its%20security%20assessments.%20This%20means%20that%20since%20then%2C%20all%20ASC%20recommendations%20are%20manifested%20as%20policy%20definitions%20in%20Azure%20Policy.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnfortunately%20we%20had%20an%20issue%20of%20inconsistency%20between%20the%20compliance%20results%20shown%20in%20Policy%20vs.%20those%20shows%20in%20ASC.%20This%20has%20been%20fixed%20already.%20Can%20you%20confirm%20if%20this%20issue%20still%20reproduced%20in%20your%20environment%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359567%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359567%22%20slang%3D%22en-US%22%3E%3CP%3EAdding%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F238106%22%20target%3D%22_blank%22%3E%40Ben%20Kliger%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73750%22%20target%3D%22_blank%22%3E%40Meital%20Taran-%20Gutman%3C%2FA%3E.%26nbsp%3BCan%20either%20of%20you%20speak%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-406211%22%20slang%3D%22en-US%22%3ERe%3A%20Feedback%3A%20Some%20ASC%20policies%20do%20not%20work%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-406211%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9172%22%20target%3D%22_blank%22%3E%40Stanislav%20Zhelyazkov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20one%20that%20does%20not%20work%20is%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3E%5BPreview%5D%3A%20Audit%20maximum%20number%20of%20owners%20for%20a%20subscription%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22if%22%3A%20%7B%3CBR%20%2F%3E%22field%22%3A%20%22type%22%2C%3CBR%20%2F%3E%22equals%22%3A%20%22Microsoft.Resources%2Fsubscriptions%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22then%22%3A%20%7B%3CBR%20%2F%3E%22effect%22%3A%20%22%5Bparameters('effect')%5D%22%2C%3CBR%20%2F%3E%22details%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22Microsoft.Security%2FcomplianceResults%22%2C%3CBR%20%2F%3E%22name%22%3A%20%22DesignateLessThanXOwners%22%2C%3CBR%20%2F%3E%22existenceCondition%22%3A%20%7B%3CBR%20%2F%3E%22field%22%3A%20%22Microsoft.Security%2FcomplianceResults%2FresourceStatus%22%2C%3CBR%20%2F%3E%22in%22%3A%20%5B%3CBR%20%2F%3E%22Monitored%22%2C%3CBR%20%2F%3E%22NotApplicable%22%2C%3CBR%20%2F%3E%22OffByPolicy%22%2C%3CBR%20%2F%3E%22Healty%22%20%26lt%3B--------%20Spelling%20mistake%20if%20you%20change%20to%20%22Healthy%22%20it%20reports%20correctly%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Hi,

I want to flag this specific issues that I have encountered but I was not sure if this was very good for user voice. In ASC we have both recommendations and Security policies in Azure Policy. We can see that some of the recommendations are also available as policies. I do not know if the idea is that policies to replace recommendations or to compliment them but I've noticed this strange behavior. In ASC I have this recommendation:

Capture.PNGbut when I go to Azure Policy the policy that is the same for the recommendation I get compliant.

Capture.PNG

I think this issue is probably caused by the API the policy uses:

"then": {
    "effect": "[parameters('effect')]",
    "details": {
      "type": "Microsoft.Security/complianceResults",
      "name": "EnforceHttps",
      "existenceCondition": {
        "field": "Microsoft.Security/complianceResults/resourceStatus",
        "in": [
          "Monitored",
          "NotApplicable",
          "OffByPolicy",
          "Healthy"
        ]
      }
    }
  }
}

I am not sure what are not the acceptable values for this API but the resource in question is shown as Monitored by this API. There are a lot of policies build that way so may be if the API does not work for one recommendation does not work for all so all these policies might give wrong results.

6 Replies

Adding @Ben Kliger and @Meital Taran- Gutman. Can either of you speak to this?

in the last few months, ASC moved to Azure Policy as the main platform for running its security assessments. This means that since then, all ASC recommendations are manifested as policy definitions in Azure Policy. 

Unfortunately we had an issue of inconsistency between the compliance results shown in Policy vs. those shows in ASC. This has been fixed already. Can you confirm if this issue still reproduced in your environment? 

 

Hi Meital,

There is no change in the behavior example I have posted. Still ASC shows the https recommendation for function app, ASC policy marks that as compliant. ASC recommendation is correct as my function is enabled for both https and http.

@Meital Taran- Gutman This policy still does not work and I never got reply on why is this. Are you looking into this problem?

@Stanislav Zhelyazkov  it should show the correct result however there might be data freshness issues. is the resource live more than 12 hours? Also, we'd like to take a closer look and make sure, can you send me the resource name and subscription ID to metaran@microsoft.com 

@Stanislav Zhelyazkov 

Another one that does not work is

[Preview]: Audit maximum number of owners for a subscription

"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/complianceResults",
"name": "DesignateLessThanXOwners",
"existenceCondition": {
"field": "Microsoft.Security/complianceResults/resourceStatus",
"in": [
"Monitored",
"NotApplicable",
"OffByPolicy",
"Healty" <-------- Spelling mistake if you change to "Healthy" it reports correctly