e:["$","$L15",null,{"pluginData":{"readme":"$16","sourceInfo":"$17","engines":["steampipe","sqlite","postgres","export"],"organization":"Turbot","category":["public cloud"],"iconUrl":"/images/plugins/turbot/azure.svg","brandColor":"#0089D6","displayName":"Azure","name":"azure","description":"Steampipe plugin for querying resource groups, virtual machines, storage accounts and more from Azure.","ogDescription":"Query Azure with SQL! Open source CLI. No DB required.","ogImage":"/images/plugins/turbot/azure-social-graphic.png","org":"turbot","version":"1.3.0","latestImageId":"sha256:6bf5d065611bdd1512a01e3b1e42184621e056de60125c9dd58087e541a02033","latestVersion":"1.3.0","mods":[{"path":"/mods/turbot/steampipe-mod-azure-compliance","org":"turbot","name":"steampipe-mod-azure-compliance","title":"Azure Compliance","version":"v1.2.1","iconUrl":"/images/mods/turbot/azure-compliance.svg","brandColor":"#0089D6","description":"Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, HIPAA HITRUST, NIST, PCI DSS across all your Azure subscriptions using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-azure-insights","org":"turbot","name":"steampipe-mod-azure-insights","title":"Azure Insights","version":"v1.0.0","iconUrl":"/images/mods/turbot/azure-insights.svg","brandColor":"#0089D6","description":"Create dashboards and reports for your Azure resources using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-azure-tags","org":"turbot","name":"steampipe-mod-azure-tags","title":"Azure Tags","version":"v1.1.0","iconUrl":"/images/mods/turbot/azure-tags.svg","brandColor":"#0089D6","description":"Run tagging controls across all your Azure subscriptions using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-azure-thrifty","org":"turbot","name":"steampipe-mod-azure-thrifty","title":"Azure Thrifty","version":"v1.0.1","iconUrl":"/images/mods/turbot/azure-thrifty.svg","brandColor":"#0089D6","description":"Are you a Thrifty Azure developer? This mod checks your Azure subscription(s) to check for unused and under utilized resources using Powerpipe and Steampipe."}],"tables":[{"name":"azure_alert_management","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"alert_rule","type":"text","description":"Rule(monitor) which fired alert instance. Depending on the monitor service, this would be ARM ID or name of the rule.","operators":["="]},{"name":"alert_state","type":"text","description":"Alert object state, which can be modified by the user. Possible values include: 'AlertStateNew', 'AlertStateAcknowledged', 'AlertStateClosed'.","operators":["="]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"context","type":"text","description":"The context of the alert management.","operators":[]},{"name":"custom_time_range","type":"text","description":"Filter by custom time range in the format / where time is in (ISO-8601 format).","operators":["="]},{"name":"egress_config","type":"text","description":"The egress config for the context management.","operators":[]},{"name":"id","type":"text","description":"Azure resource ID.","operators":["="]},{"name":"last_modified_date_time","type":"timestamp with time zone","description":"Last modification time(ISO-8601 format) of alert instance.","operators":[]},{"name":"last_modified_user_name","type":"text","description":"User who last modified the alert, in case of monitor service updates user would be 'system', otherwise name of the user.","operators":[]},{"name":"monitor_condition","type":"text","description":"Can be 'Fired' or 'Resolved', which represents whether the underlying conditions have crossed the defined alert rule thresholds. Possible values include: 'Fired', 'Resolved'.","operators":["="]},{"name":"monitor_condition_resolved_date_time","type":"timestamp with time zone","description":"Resolved time(ISO-8601 format) of alert instance. This will be updated when monitor service resolves the alert instance because the rule condition is no longer met.","operators":[]},{"name":"monitor_service","type":"text","description":"Monitor service on which the rule(monitor) is set. Possible values include: 'ApplicationInsights', 'ActivityLogAdministrative', 'ActivityLogSecurity', 'ActivityLogRecommendation', 'ActivityLogPolicy', 'ActivityLogAutoscale', 'LogAnalytics', 'Nagios', 'Platform', 'SCOM', 'ServiceHealth', 'SmartDetector', 'VMInsights', 'Zabbix', 'ResourceHealth'.","operators":["="]},{"name":"name","type":"text","description":"A friendly name that identifies an Alert management service.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"severity","type":"text","description":"Severity of alert Sev0 being highest and Sev4 being lowest. Possible values include: 'Sev0', 'Sev1', 'Sev2', 'Sev3', 'Sev4'.","operators":["="]},{"name":"signal_type","type":"text","description":"The type of signal the alert is based on, which could be metrics, logs or activity logs. Possible values include: 'Metric', 'Log', 'Unknown'.","operators":[]},{"name":"smart_group_id","type":"text","description":"Unique ID of the smart group.","operators":["="]},{"name":"smart_grouping_reason","type":"text","description":"Verbose reason describing the reason why this alert instance is added to a smart group.","operators":[]},{"name":"sort_by","type":"text","description":"Sort the query results by input field, default value is 'lastModifiedDateTime'.","operators":["="]},{"name":"sort_order","type":"text","description":"Sort order of the alert management.","operators":["="]},{"name":"source_created_id","type":"text","description":"Unique ID created by monitor service for each alert instance. This could be used to track the issue at the monitor service, in case of Nagios, Zabbix, SCOM, etc.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_date_time","type":"timestamp with time zone","description":"Creation time(ISO-8601 format) of alert instance.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"target_resource","type":"text","description":"Target ARM resource, on which alert got created.","operators":["="]},{"name":"target_resource_name","type":"text","description":"Name of the target ARM resource, on which alert got created.","operators":[]},{"name":"target_resource_type","type":"text","description":"Resource type of target ARM resource, on which alert got created.","operators":["="]},{"name":"time_range","type":"text","description":"Filter by time range. Possible values are '1h', '1d', '7d' or '30d'.","operators":["="]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Alert Management Service","queriesCount":0,"examplesCount":4,"readme":"$19"},{"name":"azure_api_management","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"additional_locations","type":"jsonb","description":"Additional datacenter locations of the API management service.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"api_version_constraint","type":"jsonb","description":"Control plane APIs version constraint for the API management service.","operators":[]},{"name":"certificates","type":"jsonb","description":"List of certificates that need to be installed in the API management service.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at_utc","type":"timestamp with time zone","description":"Creation UTC date of the API management service.","operators":[]},{"name":"custom_properties","type":"jsonb","description":"Custom properties of the API management service.","operators":[]},{"name":"developer_portal_url","type":"text","description":"Developer Portal endpoint URL of the API management service.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the API management service.","operators":[]},{"name":"disable_gateway","type":"boolean","description":"Property only valid for an API management service deployed in multiple locations. This can be used to disable the gateway in master region.","operators":[]},{"name":"enable_client_certificate","type":"boolean","description":"Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"gateway_regional_url","type":"text","description":"Gateway URL of the API management service in the default region.","operators":[]},{"name":"gateway_url","type":"text","description":"Gateway URL of the API management service.","operators":[]},{"name":"host_name_configurations","type":"jsonb","description":"Custom hostname configuration of the API management service.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an API management service uniquely.","operators":[]},{"name":"identity_principal_id","type":"text","description":"The principal id of the identity.","operators":[]},{"name":"identity_tenant_id","type":"text","description":"The client tenant id of the identity.","operators":[]},{"name":"identity_type","type":"text","description":"The type of identity used for the resource.","operators":[]},{"name":"identity_user_assigned_identities","type":"jsonb","description":"The list of user identities associated with the resource.","operators":[]},{"name":"management_api_url","type":"text","description":"Management API endpoint URL of the API management service.","operators":[]},{"name":"name","type":"text","description":"A friendly name that identifies an API management service.","operators":["="]},{"name":"notification_sender_email","type":"text","description":"Email address from which the notification will be sent.","operators":[]},{"name":"portal_url","type":"text","description":"Publisher portal endpoint URL of the API management service.","operators":[]},{"name":"private_ip_addresses","type":"jsonb","description":"Private static load balanced IP addresses of the API management service in primary region which is deployed in an internal virtual network. Available only for 'Basic', 'Standard', 'Premium' and 'Isolated' SKU.","operators":[]},{"name":"provisioning_state","type":"text","description":"The current provisioning state of the API management service. Possible values include: 'Created', 'Activating', 'Succeeded', 'Updating', 'Failed', 'Stopped', 'Terminating', 'TerminationFailed', 'Deleted'.","operators":[]},{"name":"public_ip_addresses","type":"jsonb","description":"Public static load balanced IP addresses of the API management service in primary region. Available only for 'Basic', 'Standard', 'Premium' and 'Isolated' SKU.","operators":[]},{"name":"publisher_email","type":"text","description":"Publisher email of the API management service.","operators":[]},{"name":"publisher_name","type":"text","description":"Publisher name of the API management service.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore","type":"boolean","description":"Undelete API management service if it was previously soft-deleted.","operators":[]},{"name":"scm_url","type":"text","description":"SCM endpoint URL of the API management service.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"Capacity of the SKU (number of deployed units of the SKU)","operators":[]},{"name":"sku_name","type":"text","description":"Name of the Sku","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"target_provisioning_state","type":"text","description":"The provisioning state of the API management service, which is targeted by the long running operation started on the service.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"virtual_network_configuration_id","type":"text","description":"The virtual network ID.","operators":[]},{"name":"virtual_network_configuration_subnet_name","type":"text","description":"The name of the subnet.","operators":[]},{"name":"virtual_network_configuration_subnet_resource_id","type":"text","description":"The full resource ID of a subnet in a virtual network to deploy the API Management service in.","operators":[]},{"name":"virtual_network_type","type":"text","description":"The type of VPN in which API management service needs to be configured in. None (Default Value) means the API management service is not part of any Virtual Network, External means the API management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. Possible values include: 'None', 'External', 'Internal'","operators":[]},{"name":"zones","type":"jsonb","description":"A list of availability zones denoting where the resource needs to come from.","operators":[]}],"description":"Azure API Management Service","queriesCount":2,"examplesCount":4,"readme":"$1a"},{"name":"azure_api_management_backend","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_id","type":"text","description":"The API management backend ID.","operators":["="]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"credentials","type":"jsonb","description":"The API management backend credentials contract properties.","operators":[]},{"name":"description","type":"text","description":"The API management backend Description.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an API management backend uniquely.","operators":[]},{"name":"name","type":"text","description":"A friendly name that identifies an API management backend.","operators":["=","!="]},{"name":"properties","type":"jsonb","description":"The API management backend Properties contract.","operators":[]},{"name":"protocol","type":"text","description":"API management backend communication protocol. Possible values include: 'BackendProtocolHTTP', 'BackendProtocolSoap'.","operators":[]},{"name":"proxy","type":"jsonb","description":"The API management backend proxy contract properties.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_id","type":"text","description":"Management Uri of the Resource in External System. This url can be the Arm Resource Id of Logic Apps, Function Apps or Api Apps.","operators":[]},{"name":"service_name","type":"text","description":"Name of the API management service.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"tls","type":"jsonb","description":"The API management backend TLS properties.","operators":[]},{"name":"type","type":"text","description":"Resource type for API Management resource.","operators":[]},{"name":"url","type":"text","description":"Runtime Url of the API management backend.","operators":["=","!="]}],"description":"Azure API Management Backend","queriesCount":0,"examplesCount":3,"readme":"$1b"},{"name":"azure_app_configuration","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_date","type":"timestamp with time zone","description":"The creation date of configuration store.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the configuration store.","operators":[]},{"name":"encryption","type":"jsonb","description":"The encryption settings of the configuration store.","operators":[]},{"name":"endpoint","type":"text","description":"The DNS endpoint where the configuration store API will be available.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"The managed identity information, if configured.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"The list of private endpoint connections that are set up for this resource.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the configuration store. Possible values include: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Failed', 'Canceled'.","operators":[]},{"name":"public_network_access","type":"text","description":"Control permission for data plane traffic coming from public networks while private endpoint is enabled. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"The SKU name of the configuration store.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure App Configuration","queriesCount":3,"examplesCount":4,"readme":"$1c"},{"name":"azure_app_service_environment","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cluster_settings","type":"jsonb","description":"Custom settings for changing the behavior of the App Service Environment.","operators":[]},{"name":"default_front_end_scale_factor","type":"bigint","description":"Default Scale Factor for FrontEnds","operators":[]},{"name":"dynamic_cache_enabled","type":"boolean","description":"Indicates whether the dynamic cache is enabled or not","operators":[]},{"name":"front_end_scale_factor","type":"bigint","description":"Scale factor for front-ends","operators":[]},{"name":"has_linux_workers","type":"boolean","description":"Indicates whether an ASE has linux workers or not","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an app service environment uniquely","operators":[]},{"name":"internal_load_balancing_mode","type":"text","description":"Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment","operators":[]},{"name":"is_healthy_environment","type":"boolean","description":"Indicates whether the App Service Environment is healthy","operators":[]},{"name":"kind","type":"text","description":"Contains the kind of the resource","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the app service environment","operators":["="]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the App Service Environment","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"Current status of the App Service Environment","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"suspended","type":"boolean","description":"Indicates whether the App Service Environment is suspended or not","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the app service environment","operators":[]},{"name":"vnet_name","type":"text","description":"Name of the Virtual Network for the App Service Environment","operators":[]},{"name":"vnet_resource_group_name","type":"text","description":"Name of the resource group where the virtual network is created","operators":[]},{"name":"vnet_subnet_name","type":"text","description":"Name of the subnet of the virtual network","operators":[]}],"description":"Azure App Service Environment","queriesCount":1,"examplesCount":3,"readme":"$1d"},{"name":"azure_app_service_function_app","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auth_settings","type":"jsonb","description":"Describes the Authentication/Authorization settings of an app.","operators":[]},{"name":"client_affinity_enabled","type":"boolean","description":"Specify whether client affinity is enabled.","operators":[]},{"name":"client_cert_enabled","type":"boolean","description":"Specify whether client certificate authentication is enabled.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"configuration","type":"jsonb","description":"Describes the configuration of an app.","operators":[]},{"name":"default_site_hostname","type":"text","description":"Default hostname of the app.","operators":[]},{"name":"enabled","type":"boolean","description":"Specify whether the app is enabled.","operators":[]},{"name":"host_name_disabled","type":"boolean","description":"Specify whether the public hostnames of the app is disabled.","operators":[]},{"name":"host_names","type":"jsonb","description":"A list of hostnames associated with the app.","operators":[]},{"name":"https_only","type":"boolean","description":"Specify whether configuring a web site to accept only https requests.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an app service function app uniquely.","operators":[]},{"name":"kind","type":"text","description":"Contains the kind of the resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the app service function app.","operators":["="]},{"name":"outbound_ip_addresses","type":"text","description":"List of IP addresses that the app uses for outbound connections (e.g. database access).","operators":[]},{"name":"possible_outbound_ip_addresses","type":"text","description":"List of possible IP addresses that the app uses for outbound connections (e.g. database access).","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"reserved","type":"boolean","description":"Specify whether the app is reserved.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"site_config","type":"jsonb","description":"A map of all configuration for the app","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"Current state of the app.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the app service function app.","operators":[]}],"description":"Azure App Service Function App","queriesCount":13,"examplesCount":4,"readme":"$1e"},{"name":"azure_app_service_plan","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"apps","type":"jsonb","description":"Site a web app, a mobile app backend, or an API app.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"elastic_scale_enabled","type":"boolean","description":"Specifies if ElasticScale is enabled for the App Service plan","operators":[]},{"name":"geo_region","type":"text","description":"Geographical location for the App Service plan","operators":[]},{"name":"hyper_v","type":"boolean","description":"Specify whether resource is Hyper-V container app service plan","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an app service plan uniquely","operators":[]},{"name":"is_spot","type":"boolean","description":"Specify whether this App Service Plan owns spot instances, or not","operators":[]},{"name":"is_xenon","type":"boolean","description":"Specify whether resource is Hyper-V container app service plan","operators":[]},{"name":"kind","type":"text","description":"Contains the kind of the resource","operators":[]},{"name":"maximum_elastic_worker_count","type":"bigint","description":"Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan","operators":[]},{"name":"maximum_number_of_workers","type":"bigint","description":"Maximum number of instances that can be assigned to this App Service plan","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the app service plan","operators":["="]},{"name":"per_site_scaling","type":"boolean","description":"Specify whether apps assigned to this App Service plan can be scaled independently","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the App Service Plan","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"reserved","type":"boolean","description":"Specify whether the resource is Linux app service plan, or not","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_capacity","type":"bigint","description":"Current number of instances assigned to the resource.","operators":[]},{"name":"sku_family","type":"text","description":"Family code of the resource SKU","operators":[]},{"name":"sku_name","type":"text","description":"Name of the resource SKU","operators":[]},{"name":"sku_size","type":"text","description":"Size specifier of the resource SKU","operators":[]},{"name":"sku_tier","type":"text","description":"Service tier of the resource SKU","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"App Service plan status","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"target_worker_count","type":"bigint","description":"Scaling worker count","operators":[]},{"name":"target_worker_size_id","type":"bigint","description":"Scaling worker size ID","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the app service plan","operators":[]},{"name":"worker_tier_name","type":"text","description":"Target worker tier assigned to the App Service plan","operators":[]},{"name":"zone_redundant","type":"boolean","description":"If true, this App Service Plan will perform availability zone balancing.","operators":[]}],"description":"Azure App Service Plan","queriesCount":2,"examplesCount":3,"readme":"$1f"},{"name":"azure_app_service_web_app","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auth_settings","type":"jsonb","description":"Describes the Authentication/Authorization settings of an app.","operators":[]},{"name":"client_affinity_enabled","type":"boolean","description":"Specify whether client affinity is enabled.","operators":[]},{"name":"client_cert_enabled","type":"boolean","description":"Specify whether client certificate authentication is enabled.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"configuration","type":"jsonb","description":"Describes the configuration of an app.","operators":[]},{"name":"default_site_hostname","type":"text","description":"Default hostname of the app.","operators":[]},{"name":"diagnostic_logs_configuration","type":"jsonb","description":"Describes the logging configuration of an app.","operators":[]},{"name":"enabled","type":"boolean","description":"Specify whether the app is enabled.","operators":[]},{"name":"host_name_disabled","type":"boolean","description":"Specify whether the public hostnames of the app is disabled.","operators":[]},{"name":"host_names","type":"jsonb","description":"A list of hostnames associated with the app.","operators":[]},{"name":"https_only","type":"boolean","description":"Specify whether configuring a web site to accept only https requests.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify an app service web app uniquely.","operators":[]},{"name":"identity","type":"jsonb","description":"Managed service identity for the resource.","operators":[]},{"name":"kind","type":"text","description":"Contains the kind of the resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the app service web app.","operators":["="]},{"name":"outbound_ip_addresses","type":"text","description":"List of IP addresses that the app uses for outbound connections (e.g. database access).","operators":[]},{"name":"possible_outbound_ip_addresses","type":"text","description":"List of possible IP addresses that the app uses for outbound connections (e.g. database access).","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"reserved","type":"boolean","description":"Specify whether the app is reserved.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"site_config","type":"jsonb","description":"A map of all configuration for the app.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"Current state of the app.","operators":[]},{"name":"storage_info_value","type":"jsonb","description":"AzureStorageInfoValue azure Files or Blob Storage access information value for dictionary storage.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the app service web app.","operators":[]},{"name":"vnet_connection","type":"jsonb","description":"Describes the virtual network connection for the app.","operators":[]}],"description":"Azure App Service Web App","queriesCount":29,"examplesCount":8,"readme":"$20"},{"name":"azure_app_service_web_app_slot","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"app_name","type":"text","description":"The name of the application.","operators":["="]},{"name":"availability_state","type":"text","description":"Management information availability state for the app. Possible values include: 'Normal', 'Limited', 'DisasterRecoveryMode'.","operators":[]},{"name":"client_affinity_enabled","type":"boolean","description":"True to enable client affinity; false to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is true.","operators":[]},{"name":"client_cert_exclusion_paths","type":"text","description":"Client certificate authentication comma-separated exclusion paths.","operators":[]},{"name":"client_cert_mode","type":"text","description":"This composes with ClientCertEnabled setting. ClientCertEnabled: false means ClientCert is ignored. ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted. Possible values include: 'Required', 'Optional'.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"container_size","type":"bigint","description":"Size of the function container.","operators":[]},{"name":"custom_domain_verification_id","type":"text","description":"Unique identifier that verifies the custom domains assigned to the app. The customer will add this ID to a text record for verification.","operators":[]},{"name":"default_host_name","type":"text","description":"Default hostname of the app.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates wheather the app is enabled.","operators":[]},{"name":"enabled_host_names","type":"jsonb","description":"Enabled hostnames for the app. Hostnames need to be assigned (see HostNames) AND enabled. Otherwise, the app is not served on those hostnames.","operators":[]},{"name":"host_name_ssl_states","type":"jsonb","description":"Hostname SSL states are used to manage the SSL bindings for app's hostnames.","operators":[]},{"name":"host_names","type":"jsonb","description":"Hostnames associated with the app.","operators":[]},{"name":"host_names_disabled","type":"boolean","description":"True to disable the public hostnames of the app; otherwise, false. If true, the app is only accessible via API management process.","operators":[]},{"name":"hosting_environment_profile","type":"jsonb","description":"App Service Environment to use for the app.","operators":[]},{"name":"https_only","type":"boolean","description":"Configures a web site to accept only https requests.","operators":[]},{"name":"hyper_v","type":"boolean","description":"Hyper-V sandbox.","operators":[]},{"name":"id","type":"text","description":"Resource ID of the app slot.","operators":[]},{"name":"identity","type":"jsonb","description":"Managed service identity.","operators":[]},{"name":"is_default_container","type":"boolean","description":"True if the app is a default container; otherwise, false.","operators":[]},{"name":"is_xenon","type":"boolean","description":"Obsolete: Hyper-V sandbox.","operators":[]},{"name":"kind","type":"text","description":"Contains the kind of the resource.","operators":[]},{"name":"last_modified_time_utc","type":"timestamp with time zone","description":"Last time the app was modified, in UTC.","operators":[]},{"name":"name","type":"text","description":"Resource Name.","operators":["="]},{"name":"outbound_ip_addresses","type":"text","description":"List of IP addresses that the app uses for outbound connections (e.g. database access). Includes VIPs from tenants that site can be hosted with current settings.","operators":[]},{"name":"possible_outbound_ip_addresses","type":"text","description":"List of IP addresses that the app uses for outbound connections (e.g. database access). Includes VIPs from all tenants except dataComponent.","operators":[]},{"name":"redundancy_mode","type":"text","description":"Site redundancy mode. Possible values include: 'RedundancyModeNone', 'RedundancyModeManual', 'RedundancyModeFailover', 'RedundancyModeActiveActive', 'RedundancyModeGeoRedundant'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"repository_site_name","type":"text","description":"Name of the repository site.","operators":[]},{"name":"reserved","type":"boolean","description":"True if reserved; otherwise, false.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"scm_site_also_stopped","type":"boolean","description":"True to stop SCM (KUDU) site when the app is stopped; otherwise, false. The default is false.","operators":[]},{"name":"server_farm_id","type":"text","description":"Resource ID of the associated App Service plan, formatted as: '/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}'.","operators":[]},{"name":"site_config","type":"jsonb","description":"Configuration of the app.","operators":[]},{"name":"site_config_resource","type":"jsonb","description":"Configuration of an app, such as platform version and bitness, default documents, virtual applications, Always On, etc.","operators":[]},{"name":"slot_swap_status","type":"jsonb","description":"Status of the last deployment slot swap operation.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"Current state of the app.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"suspended_till","type":"timestamp with time zone","description":"App suspended till in case memory-time quota is exceeded.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"target_swap_slot","type":"text","description":"Specifies which deployment slot this app will swap into.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"traffic_manager_host_names","type":"jsonb","description":"Azure Traffic Manager hostnames associated with the app.","operators":[]},{"name":"type","type":"text","description":"Resource type.","operators":[]},{"name":"usage_state","type":"text","description":"State indicating whether the app has exceeded its quota usage. Read-only. Possible values include: 'UsageStateNormal', 'UsageStateExceeded'.","operators":[]}],"description":"Azure App Service Web App Slot","queriesCount":1,"examplesCount":6,"readme":"$21"},{"name":"azure_application_gateway","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authentication_certificates","type":"jsonb","description":"Authentication certificates of the application gateway.","operators":[]},{"name":"autoscale_configuration","type":"jsonb","description":"Autoscale Configuration of the application gateway.","operators":[]},{"name":"backend_address_pools","type":"jsonb","description":"Backend address pool of the application gateway.","operators":[]},{"name":"backend_http_settings_collection","type":"jsonb","description":"Backend http settings of the application gateway.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"custom_error_configurations","type":"jsonb","description":"Custom error configurations of the application gateway.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the application gateway.","operators":[]},{"name":"enable_fips","type":"boolean","description":"Whether FIPS is enabled on the application gateway.","operators":[]},{"name":"enable_http2","type":"boolean","description":"Whether HTTP2 is enabled on the application gateway.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"firewall_policy","type":"jsonb","description":"Reference to the FirewallPolicy resource.","operators":[]},{"name":"force_firewall_policy_association","type":"boolean","description":"If true, associates a firewall policy with an application gateway regardless whether the policy differs from the WAF configuration.","operators":[]},{"name":"frontend_ip_configurations","type":"jsonb","description":"Frontend IP addresses of the application gateway.","operators":[]},{"name":"frontend_ports","type":"jsonb","description":"Frontend ports of the application gateway.","operators":[]},{"name":"gateway_ip_configurations","type":"jsonb","description":"Subnets of the application gateway.","operators":[]},{"name":"http_listeners","type":"jsonb","description":"Http listeners of the application gateway.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the application gateway, if configured.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"operational_state","type":"text","description":"Operational state of the application gateway. Possible values include: 'Stopped', 'Starting', 'Running', 'Stopping'.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"Private endpoint connections on application gateway.","operators":[]},{"name":"private_link_configurations","type":"jsonb","description":"PrivateLink configurations on application gateway.","operators":[]},{"name":"probes","type":"jsonb","description":"Probes of the application gateway.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the application gateway. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"redirect_configurations","type":"jsonb","description":"Redirect configurations of the application gateway.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"request_routing_rules","type":"jsonb","description":"Request routing rules of the application gateway.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the application gateway.","operators":[]},{"name":"rewrite_rule_sets","type":"jsonb","description":"Rewrite rules for the application gateway.","operators":[]},{"name":"sku","type":"jsonb","description":"SKU of the application gateway.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ssl_certificates","type":"jsonb","description":"SSL certificates of the application gateway.","operators":[]},{"name":"ssl_policy","type":"jsonb","description":"SSL policy of the application gateway.","operators":[]},{"name":"ssl_profiles","type":"jsonb","description":"SSL profiles of the application gateway.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"trusted_client_certificates","type":"jsonb","description":"Trusted client certificates of the application gateway.","operators":[]},{"name":"trusted_root_certificates","type":"jsonb","description":"Trusted root certificates of the application gateway.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"url_path_maps","type":"jsonb","description":"URL path map of the application gateway.","operators":[]},{"name":"web_application_firewall_configuration","type":"jsonb","description":"Web application firewall configuration of the application gateway.","operators":[]},{"name":"zones","type":"jsonb","description":"A list of availability zones denoting where the resource needs to come from.","operators":[]}],"description":"Azure Application Gateway","queriesCount":3,"examplesCount":4,"readme":"$22"},{"name":"azure_application_insight","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"app_id","type":"text","description":"Application insights unique id for your Application.","operators":[]},{"name":"application_type","type":"jsonb","description":"Type of application being monitored.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"connection_string","type":"text","description":"Application Insights component connection string.","operators":[]},{"name":"creation_date","type":"timestamp with time zone","description":"Creation date for the Application Insights component.","operators":[]},{"name":"disable_ip_masking","type":"boolean","description":"Disable IP masking.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"Disable Non-AAD based Auth.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"flow_type","type":"jsonb","description":"Determines what kind of flow this component was created by.","operators":[]},{"name":"force_customer_storage_for_profiler","type":"boolean","description":"Force users to create their own storage account for profiler and debugger.","operators":[]},{"name":"id","type":"text","description":"Contains id to identify the application insight uniquely.","operators":[]},{"name":"immediate_purge_data_on_30_days","type":"boolean","description":"Purge data immediately after 30 days.","operators":[]},{"name":"ingestion_mode","type":"jsonb","description":"Indicates the flow of the ingestion.","operators":[]},{"name":"instrumentation_key","type":"text","description":"Application Insights Instrumentation key.","operators":[]},{"name":"kind","type":"text","description":"The kind of application that this component refers to, used to customize UI.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the application insight.","operators":["="]},{"name":"private_link_scoped_resources","type":"jsonb","description":"List of linked private link scope resources.","operators":[]},{"name":"provisioning_state","type":"text","description":"Current state of this component.","operators":[]},{"name":"public_network_access_for_ingestion","type":"text","description":"The network access type for accessing Application Insights ingestion.","operators":[]},{"name":"public_network_access_for_query","type":"text","description":"The network access type for accessing Application Insights query.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"request_source","type":"text","description":"Describes what tool created this Application Insights component.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"retention_in_days","type":"bigint","description":"Retention period in days.","operators":[]},{"name":"sampling_percentage","type":"double precision","description":"Percentage of the data produced by the application being monitored that is being sampled for Application Insights telemetry.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tenant_id","type":"text","description":"Azure Tenant ID.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the application insight.","operators":[]},{"name":"workspace_resource_id","type":"text","description":"Resource Id of the log analytics workspace to which the data will be ingested.","operators":[]}],"description":"Azure Application Insight","queriesCount":3,"examplesCount":3,"readme":"$23"},{"name":"azure_application_security_group","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a application security group uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the application security group","operators":["="]},{"name":"provisioning_state","type":"text","description":"The resource type of the application security group","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the application security group resource","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the application security group","operators":[]}],"description":"Azure Application Security Group","queriesCount":0,"examplesCount":1,"readme":"$24"},{"name":"azure_automation_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The creation time of the account.","operators":[]},{"name":"description","type":"text","description":"The description for the account.","operators":[]},{"name":"etag","type":"text","description":"Gets the etag of the resource.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID.","operators":[]},{"name":"last_modified_by","type":"text","description":"The account last modified by.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"The last modified time of the account.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_capacity","type":"text","description":"The SKU capacity of the account.","operators":[]},{"name":"sku_family","type":"text","description":"The SKU family of the account.","operators":[]},{"name":"sku_name","type":"text","description":"The SKU name of the account. Possible values include: 'SkuNameEnumFree', 'SkuNameEnumBasic'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The status of account. Possible values include: 'AccountStateOk', 'AccountStateUnavailable', 'AccountStateSuspended'.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Automation Account","queriesCount":0,"examplesCount":2,"readme":"$25"},{"name":"azure_automation_variable","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The name of the account.","operators":["="]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The creation time of the variable.","operators":[]},{"name":"description","type":"text","description":"The description for the variable.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID.","operators":[]},{"name":"is_encrypted","type":"boolean","description":"The encrypted flag of the variable.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"The last modified time of the variable.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"value","type":"text","description":"The value of the variable.","operators":[]}],"description":"Azure Automation Variable","queriesCount":1,"examplesCount":3,"readme":"$26"},{"name":"azure_backup_policy","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"azure_file_share_protection_policy_property","type":"jsonb","description":"The Azure File Share Protection Policy associated with the backup policy.","operators":[]},{"name":"azure_iaas_vm_protection_policy_property","type":"jsonb","description":"The Azure IaaS VM Protection Policy associated with the backup policy.","operators":[]},{"name":"azure_sql_protection_policy_property","type":"jsonb","description":"The Azure SQL Protection Policy associated with the backup policy.","operators":[]},{"name":"azure_vm_workload_protection_policy_property","type":"jsonb","description":"The Azure VM Workload Protection Policy associated with the backup policy.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"generic_protection_policy_property","type":"jsonb","description":"The Generic Protection Policy associated with the backup policy.","operators":[]},{"name":"id","type":"text","description":"The resource identifier representing the complete path to the resource.","operators":[]},{"name":"location","type":"text","description":"The location of the resource.","operators":[]},{"name":"mab_protection_policy_property","type":"jsonb","description":"The MAB Protection Policy associated with the backup policy.","operators":[]},{"name":"name","type":"text","description":"The resource name associated with the resource.","operators":[]},{"name":"protection_policy_property","type":"jsonb","description":"The protection policy associated with the backup policy.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"The resource tags.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type representing the complete path of the form Namespace/ResourceType/ResourceType/...","operators":[]},{"name":"vault_name","type":"text","description":"The name of the vault associated with the backup policy.","operators":["="]}],"description":"Azure Backup Policy","queriesCount":0,"examplesCount":4,"readme":"$27"},{"name":"azure_bastion_host","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"dns_name","type":"text","description":"FQDN for the endpoint on which bastion host is accessible.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a bastion host uniquely.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"IP configuration of the bastion host resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the bastion host.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the bastion host resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the bastion host.","operators":[]}],"description":"Azure Bastion Host","queriesCount":1,"examplesCount":3,"readme":"$28"},{"name":"azure_batch_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_endpoint","type":"text","description":"The account endpoint used to interact with the batch service.","operators":[]},{"name":"active_job_and_job_schedule_quota","type":"text","description":"Active job and job schedule quota of the batch account.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auto_storage","type":"jsonb","description":"The auto storage properties of the batch account.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"dedicated_core_quota","type":"bigint","description":"The dedicated core quota of the batch account.","operators":[]},{"name":"dedicated_core_quota_per_vm_family","type":"jsonb","description":"A list of the dedicated core quota per virtual machine family for the batch account.","operators":[]},{"name":"dedicated_core_quota_per_vm_family_enforced","type":"boolean","description":"Batch is transitioning its core quota system for dedicated cores to be enforced per Virtual Machine family. During this transitional phase, the dedicated core quota per Virtual Machine family may not yet be enforced.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the batch account.","operators":[]},{"name":"encryption","type":"jsonb","description":"Properties to enable customer managed key for the batch account.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the batch account.","operators":[]},{"name":"key_vault_reference","type":"jsonb","description":"Key vault reference of the batch account.","operators":[]},{"name":"low_priority_core_quota","type":"bigint","description":"The low priority core quota of the batch account.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"pool_allocation_mode","type":"text","description":"The pool allocation mode of the batch account.","operators":[]},{"name":"pool_quota","type":"bigint","description":"The pool quota of the batch account.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"The properties associated with the private endpoint connection.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioned state of the batch account.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public network access is allowed for the batch account.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Batch Account","queriesCount":3,"examplesCount":1,"readme":"$29"},{"name":"azure_cdn_frontdoor_profile","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"front_door_id","type":"text","description":"The ID of the front door.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"kind","type":"text","description":"Kind of the profile. Used by portal to differentiate traditional CDN profile and new AFD profile.","operators":[]},{"name":"location","type":"text","description":"The location of the CDN front door profile.","operators":[]},{"name":"name","type":"text","description":"The name of the CDN front door profile.","operators":["="]},{"name":"origin_response_timeout_seconds","type":"bigint","description":"Send and receive timeout on forwarding request to the origin. When timeout is reached, the request fails and returns.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning status of the CDN front door profile.","operators":[]},{"name":"region","type":"text","description":"The Azure region where the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group in which the resource is located.","operators":["="]},{"name":"resource_state","type":"text","description":"Resource status of the CDN front door profile.","operators":[]},{"name":"sku_name","type":"text","description":"Name of the pricing tier.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"Tags associated with the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure CDN Front Door Profile","queriesCount":0,"examplesCount":4,"readme":"$2a"},{"name":"azure_cognitive_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allowed_fqdn_list","type":"jsonb","description":"The allowed FQDN list for the resource.","operators":[]},{"name":"api_properties","type":"jsonb","description":"The api properties for special APIs.","operators":[]},{"name":"call_rate_limit","type":"jsonb","description":"The call rate limit of the resource.","operators":[]},{"name":"capabilities","type":"jsonb","description":"The capabilities of the cognitive services account. Each item indicates the capability of a specific feature. The values are read-only and for reference only.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"custom_sub_domain_name","type":"text","description":"The subdomain name used for token-based authentication.","operators":[]},{"name":"date_created","type":"text","description":"The date of cognitive services account creation.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the cognitive service account.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"Checks if local auth is disabled for the resource.","operators":[]},{"name":"encryption","type":"jsonb","description":"The encryption properties for the resource.","operators":[]},{"name":"endpoint","type":"text","description":"The endpoint of the created account.","operators":[]},{"name":"endpoints","type":"jsonb","description":"All endpoints of the cognitive services account.","operators":[]},{"name":"etag","type":"text","description":"The resource etag.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity for the resource.","operators":[]},{"name":"is_migrated","type":"boolean","description":"Checks if the resource is migrated from an existing key.","operators":[]},{"name":"kind","type":"text","description":"The kind of the resource.","operators":[]},{"name":"migration_token","type":"text","description":"The resource migration token.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_acls","type":"jsonb","description":"A collection of rules governing the accessibility from specific network locations.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"The private endpoint connection associated with the cognitive services account.","operators":[]},{"name":"provisioning_state","type":"text","description":"The status of the cognitive services account at the time the operation was called. Possible values include: 'Accepted', 'Creating', 'Deleting', 'Moving', 'Failed', 'Succeeded', 'ResolvingDNS'.","operators":[]},{"name":"public_network_access","type":"text","description":"Whether or not public endpoint access is allowed for this account. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"quota_limit","type":"jsonb","description":"The quota limit of the resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore","type":"boolean","description":"Checks if restore is enabled for the resource.","operators":[]},{"name":"restrict_outbound_network_access","type":"boolean","description":"Checks if outbound network access is restricted for the resource.","operators":[]},{"name":"sku","type":"jsonb","description":"The resource model definition representing SKU.","operators":[]},{"name":"sku_change_info","type":"jsonb","description":"Sku change info of the resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"The metadata pertaining to creation and last modification of the resource.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource. E.g. 'Microsoft.Compute/virtualMachines' or 'Microsoft.Storage/storageAccounts'.","operators":[]},{"name":"user_owned_storage","type":"jsonb","description":"The storage accounts for the resource.","operators":[]}],"description":"Azure Cognitive Account","queriesCount":5,"examplesCount":3,"readme":"$2b"},{"name":"azure_compute_availability_set","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the availability set","operators":["="]},{"name":"platform_fault_domain_count","type":"bigint","description":"Contains the fault domain count","operators":[]},{"name":"platform_update_domain_count","type":"bigint","description":"Contains the update domain count","operators":[]},{"name":"proximity_placement_group_id","type":"text","description":"Specifies information about the proximity placement group that the availability set should be assigned to","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_capacity","type":"bigint","description":"Specifies the number of virtual machines in the scale set","operators":[]},{"name":"sku_name","type":"text","description":"The availability sets sku name","operators":[]},{"name":"sku_tier","type":"text","description":"Specifies the tier of virtual machines in a scale set","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"jsonb","description":"The resource status information","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure","operators":[]},{"name":"virtual_machines","type":"jsonb","description":"A list of references to all virtual machines in the availability set","operators":[]}],"description":"Azure Compute Availability Set","queriesCount":0,"examplesCount":2,"readme":"$2c"},{"name":"azure_compute_disk","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_data_gallery_image_reference_id","type":"text","description":"The ARM id of the shared galley image version from which disk was created","operators":[]},{"name":"creation_data_gallery_image_reference_lun","type":"bigint","description":"An index that indicates which of the data disks in the image to use, if the disk is created from an image's data disk","operators":[]},{"name":"creation_data_image_reference_id","type":"text","description":"A relative uri containing either a Platform Image Repository or user image reference","operators":[]},{"name":"creation_data_image_reference_lun","type":"bigint","description":"If the disk is created from an image's data disk, this is an index that indicates which of the data disks in the image to use. For OS disks, this field is null","operators":[]},{"name":"creation_data_option","type":"text","description":"This enumerates the possible sources of a disk's creation","operators":[]},{"name":"creation_data_source_resource_id","type":"text","description":"The ARM id of the source snapshot or disk","operators":[]},{"name":"creation_data_source_unique_id","type":"text","description":"An unique id identifying the source of this resource","operators":[]},{"name":"creation_data_source_uri","type":"text","description":"The URI of a blob to be imported into a managed disk","operators":[]},{"name":"creation_data_storage_account_id","type":"text","description":"The Azure Resource Manager identifier of the storage account containing the blob to import as a disk","operators":[]},{"name":"creation_data_upload_size_bytes","type":"bigint","description":"This is the size of the contents of the upload including the VHD footer. This value should be between 20972032 (20 MiB + 512 bytes for the VHD footer) and 35183298347520 bytes (32 TiB + 512 bytes for the VHD footer)","operators":[]},{"name":"data_access_auth_mode","type":"text","description":"The mode to use for data access to the disk","operators":[]},{"name":"disk_access_id","type":"text","description":"ARM id of the DiskAccess resource for using private endpoints on disks","operators":[]},{"name":"disk_iops_mbps_read_only","type":"bigint","description":"The total throughput (MBps) that will be allowed across all VMs mounting the shared disk as ReadOnly. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10","operators":[]},{"name":"disk_iops_mbps_read_write","type":"bigint","description":"The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10","operators":[]},{"name":"disk_iops_read_only","type":"double precision","description":"The total number of IOPS that will be allowed across all VMs mounting the shared disk as ReadOnly. One operation can transfer between 4k and 256k bytes","operators":[]},{"name":"disk_iops_read_write","type":"double precision","description":"The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes","operators":[]},{"name":"disk_size_bytes","type":"double precision","description":"The size of the disk in bytes","operators":[]},{"name":"disk_size_gb","type":"bigint","description":"If this field is present for updates or creation with other options, it indicates a resize. Resizes are only allowed if the disk is not attached to a running VM, and can only increase the disk's size","operators":[]},{"name":"disk_state","type":"text","description":"This enumerates the possible state of the disk","operators":[]},{"name":"encryption_disk_encryption_set_id","type":"text","description":"ResourceId of the disk encryption set to use for enabling encryption at rest","operators":[]},{"name":"encryption_settings_collection_enabled","type":"boolean","description":"Shows the status of the encryption settings for the disk","operators":[]},{"name":"encryption_settings_collection_settings","type":"jsonb","description":"A collection of encryption settings, one for each disk volume","operators":[]},{"name":"encryption_settings_collection_version","type":"text","description":"Describes the type of encryption is used for the disks. '1.0' corresponds to Azure Disk Encryption with AAD app. '1.1' corresponds to Azure Disk Encryption","operators":[]},{"name":"encryption_type","type":"text","description":"The type of key used to encrypt the data of the disk","operators":[]},{"name":"hyper_v_generation","type":"text","description":"The hypervisor generation of the Virtual Machine. Applicable to OS disks only","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription","operators":[]},{"name":"managed_by","type":"text","description":"A relative URI containing the ID of the VM that has the disk attached","operators":[]},{"name":"managed_by_extended","type":"jsonb","description":"List of relative URIs containing the IDs of the VMs that have the disk attached","operators":[]},{"name":"max_shares","type":"bigint","description":"The maximum number of VMs that can attach to the disk at the same time. Value greater than one indicates a disk that can be mounted on multiple VMs at the same time","operators":[]},{"name":"name","type":"text","description":"Name of the disk","operators":["="]},{"name":"network_access_policy","type":"text","description":"Policy for accessing the disk via network","operators":[]},{"name":"os_type","type":"text","description":"The Operating System type","operators":[]},{"name":"provisioning_state","type":"text","description":"The disk provisioning state","operators":[]},{"name":"public_network_access","type":"text","description":"Public network access for the disk can be enabled or disabled","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"share_info","type":"jsonb","description":"Details of the list of all VMs that have the disk attached","operators":[]},{"name":"sku_name","type":"text","description":"The disks sku name. Can be Standard_LRS, Premium_LRS, StandardSSD_LRS, or UltraSSD_LRS","operators":[]},{"name":"sku_tier","type":"text","description":"The sku tier","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"time_created","type":"timestamp with time zone","description":"The time when the disk was created","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure","operators":[]},{"name":"unique_id","type":"text","description":"Unique Guid identifying the resource","operators":[]},{"name":"zones","type":"jsonb","description":"The Logical zone list for Disk","operators":[]}],"description":"Azure Compute Disk","queriesCount":6,"examplesCount":5,"readme":"$2d"},{"name":"azure_compute_disk_access","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"The private endpoint connections details.","operators":[]},{"name":"provisioning_state","type":"text","description":"The disk access resource provisioning state.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"time_created","type":"timestamp with time zone","description":"The time when the disk access was created.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Compute Disk Access","queriesCount":1,"examplesCount":1,"readme":"$2e"},{"name":"azure_compute_disk_encryption_set","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"active_key_source_vault_id","type":"text","description":"Resource id of the KeyVault containing the key or secret","operators":[]},{"name":"active_key_url","type":"text","description":"Url pointing to a key or secret in KeyVault","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"encryption_type","type":"text","description":"Contains the type of the encryption","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription","operators":[]},{"name":"identity_principal_id","type":"text","description":"The object id of the Managed Identity Resource","operators":[]},{"name":"identity_tenant_id","type":"text","description":"The tenant id of the Managed Identity Resource","operators":[]},{"name":"identity_type","type":"text","description":"The type of Managed Identity used by the DiskEncryptionSet","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the disk encryption set","operators":["="]},{"name":"previous_keys","type":"jsonb","description":"A list of key vault keys previously used by this disk encryption set while a key rotation is in progress","operators":[]},{"name":"provisioning_state","type":"text","description":"The disk encryption set provisioning state","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure","operators":[]}],"description":"Azure Compute Disk Encryption Set","queriesCount":0,"examplesCount":3,"readme":"$2f"},{"name":"azure_compute_disk_metric_read_ops","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Read Ops","queriesCount":0,"examplesCount":1,"readme":"$30"},{"name":"azure_compute_disk_metric_read_ops_daily","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Read Ops (Daily)","queriesCount":0,"examplesCount":1,"readme":"$31"},{"name":"azure_compute_disk_metric_read_ops_hourly","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Read Ops (Hourly)","queriesCount":0,"examplesCount":1,"readme":"$32"},{"name":"azure_compute_disk_metric_write_ops","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Write Ops","queriesCount":0,"examplesCount":1,"readme":"$33"},{"name":"azure_compute_disk_metric_write_ops_daily","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Write Ops (Daily)","queriesCount":0,"examplesCount":1,"readme":"$34"},{"name":"azure_compute_disk_metric_write_ops_hourly","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the disk.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Disk Metrics - Write Ops (Hourly)","queriesCount":0,"examplesCount":1,"readme":"$35"},{"name":"azure_compute_image","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"hyper_v_generation","type":"text","description":"Gets the HyperVGenerationType of the VirtualMachine created from the image","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a image uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the image","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the image resource","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"source_virtual_machine_id","type":"text","description":"Contains the id of the virtual machine","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_profile_data_disks","type":"jsonb","description":"A list of parameters that are used to add a data disk to a virtual machine","operators":[]},{"name":"storage_profile_os_disk_blob_uri","type":"text","description":"Contains uri of the virtual hard disk","operators":[]},{"name":"storage_profile_os_disk_caching","type":"text","description":"Specifies the caching requirements","operators":[]},{"name":"storage_profile_os_disk_encryption_set","type":"text","description":"Specifies the customer managed disk encryption set resource id for the managed image disk","operators":[]},{"name":"storage_profile_os_disk_managed_disk_id","type":"text","description":"Contains the id of the managed disk","operators":[]},{"name":"storage_profile_os_disk_size_gb","type":"bigint","description":"Specifies the size of empty data disks in gigabytes","operators":[]},{"name":"storage_profile_os_disk_snapshot_id","type":"text","description":"Contains the id of the snapshot","operators":[]},{"name":"storage_profile_os_disk_state","type":"text","description":"Contains state of the OS","operators":[]},{"name":"storage_profile_os_disk_storage_account_type","type":"text","description":"Specifies the storage account type for the managed disk","operators":[]},{"name":"storage_profile_os_disk_type","type":"text","description":"Specifies the type of the OS that is included in the disk if creating a VM from a custom image","operators":[]},{"name":"storage_profile_zone_resilient","type":"boolean","description":"Specifies whether an image is zone resilient or not","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Compute Image","queriesCount":0,"examplesCount":4,"readme":"$36"},{"name":"azure_compute_resource_sku","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"api_versions","type":"jsonb","description":"The api versions that support this SKU","operators":[]},{"name":"capabilities","type":"jsonb","description":"A name value pair to describe the capability","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"costs","type":"jsonb","description":"A list of metadata for retrieving price info","operators":[]},{"name":"default_capacity","type":"bigint","description":"Contains the default capacity","operators":[]},{"name":"family","type":"text","description":"The Family of this particular SKU","operators":[]},{"name":"kind","type":"text","description":"The Kind of resources that are supported in this SKU","operators":[]},{"name":"location_info","type":"jsonb","description":"A list of locations and availability zones in those locations where the SKU is available","operators":[]},{"name":"locations","type":"jsonb","description":"The set of locations that the SKU is available","operators":[]},{"name":"maximum_capacity","type":"bigint","description":"The maximum capacity that can be set","operators":[]},{"name":"minimum_capacity","type":"bigint","description":"The minimum capacity that can be set","operators":[]},{"name":"name","type":"text","description":"The name of SKU","operators":[]},{"name":"resource_type","type":"text","description":"The type of resource the SKU applies to","operators":[]},{"name":"restrictions","type":"jsonb","description":"The restrictions because of which SKU cannot be used","operators":[]},{"name":"scale_type","type":"text","description":"The scale type applicable to the sku","operators":[]},{"name":"size","type":"text","description":"The Size of the SKU","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tier","type":"text","description":"Specifies the tier of virtual machines in a scale set","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Compute Resource SKU","queriesCount":0,"examplesCount":3,"readme":"$37"},{"name":"azure_compute_snapshot","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_option","type":"text","description":"Specifies the possible sources of a disk's creation","operators":[]},{"name":"disk_access_id","type":"text","description":"ARM id of the DiskAccess resource for using private endpoints on disks","operators":[]},{"name":"disk_encryption_set_id","type":"text","description":"ResourceId of the disk encryption set to use for enabling encryption at rest","operators":[]},{"name":"disk_size_bytes","type":"bigint","description":"The size of the disk in bytes","operators":[]},{"name":"disk_size_gb","type":"bigint","description":"The size of the disk to create","operators":[]},{"name":"encryption_setting_collection_enabled","type":"boolean","description":"Specifies whether the encryption is enables, or not","operators":[]},{"name":"encryption_setting_version","type":"text","description":"Describes what type of encryption is used for the disks","operators":[]},{"name":"encryption_settings","type":"jsonb","description":"A list of encryption settings, one for each disk volume","operators":[]},{"name":"encryption_type","type":"text","description":"The type of the encryption","operators":[]},{"name":"gallery_image_reference_id","type":"text","description":"A relative uri containing either a Platform Image Repository or user image reference","operators":[]},{"name":"gallery_reference_lun","type":"bigint","description":"Specifies the index that indicates which of the data disks in the image to use","operators":[]},{"name":"hyperv_generation","type":"text","description":"Specifies the hypervisor generation of the Virtual Machine","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription","operators":[]},{"name":"image_reference_id","type":"text","description":"A relative uri containing either a Platform Image Repository or user image reference","operators":[]},{"name":"image_reference_lun","type":"bigint","description":"Specifies the index that indicates which of the data disks in the image to use","operators":[]},{"name":"incremental","type":"boolean","description":"Specifies whether a snapshot is incremental, or not","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the snapshot","operators":["="]},{"name":"network_access_policy","type":"text","description":"Contains the type of access","operators":[]},{"name":"os_type","type":"text","description":"Contains the type of operating system","operators":[]},{"name":"provisioning_state","type":"text","description":"The disk provisioning state","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"The snapshot sku name","operators":[]},{"name":"sku_tier","type":"text","description":"The sku tier","operators":[]},{"name":"source_resource_id","type":"text","description":"ARM id of the source snapshot or disk","operators":[]},{"name":"source_unique_id","type":"text","description":"An unique id identifying the source of this resource","operators":[]},{"name":"source_uri","type":"text","description":"An URI of a blob to be imported into a managed disk","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_id","type":"text","description":"The Azure Resource Manager identifier of the storage account containing the blob to import as a disk","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"time_created","type":"timestamp with time zone","description":"The time when the snapshot was created","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure","operators":[]},{"name":"unique_id","type":"text","description":"An unique Guid identifying the resource","operators":[]},{"name":"upload_size_bytes","type":"bigint","description":"The size of the contents of the upload including the VHD footer","operators":[]},{"name":"virtual_machines","type":"jsonb","description":"A list of references to all virtual machines in the availability set","operators":[]}],"description":"Azure Compute Snapshot","queriesCount":0,"examplesCount":3,"readme":"$38"},{"name":"azure_compute_ssh_key","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The unique ID identifying the resource in subscription.","operators":[]},{"name":"name","type":"text","description":"Name of the SSH key.","operators":["="]},{"name":"public_key","type":"text","description":"SSH public key.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure.","operators":[]}],"description":"Azure Compute SSH Key","queriesCount":0,"examplesCount":2,"readme":"$39"},{"name":"azure_compute_virtual_machine","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"additional_unattend_content","type":"jsonb","description":"Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by windows setup.","operators":[]},{"name":"admin_user_name","type":"text","description":"Specifies the name of the administrator account.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allow_extension_operations","type":"boolean","description":"Specifies whether extension operations should be allowed on the virtual machine.","operators":[]},{"name":"availability_set_id","type":"text","description":"Specifies the ID of the availability set.","operators":[]},{"name":"billing_profile_max_price","type":"double precision","description":"Specifies the maximum price you are willing to pay for a Azure Spot VM/VMSS.","operators":[]},{"name":"boot_diagnostics_enabled","type":"boolean","description":"Specifies whether boot diagnostics should be enabled on the Virtual Machine, or not.","operators":[]},{"name":"boot_diagnostics_storage_uri","type":"text","description":"Contains the Uri of the storage account to use for placing the console output and screenshot.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"computer_name","type":"text","description":"Specifies the host OS name of the virtual machine.","operators":[]},{"name":"data_disks","type":"jsonb","description":"A list of parameters that are used to add a data disk to a virtual machine.","operators":[]},{"name":"disable_password_authentication","type":"boolean","description":"Specifies whether password authentication should be disabled.","operators":[]},{"name":"enable_automatic_updates","type":"boolean","description":"Indicates whether automatic updates is enabled for the windows virtual machine.","operators":[]},{"name":"eviction_policy","type":"text","description":"Specifies the eviction policy for the Azure Spot virtual machine and Azure Spot scale set.","operators":[]},{"name":"extensions","type":"jsonb","description":"Specifies the details of VM Extensions.","operators":[]},{"name":"guest_configuration_assignments","type":"jsonb","description":"Guest configuration assignments for a virtual machine.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the virtual machine, if configured.","operators":[]},{"name":"image_exact_version","type":"text","description":"Specifies in decimal numbers, the version of platform image or marketplace image used to create the virtual machine.","operators":[]},{"name":"image_id","type":"text","description":"Specifies the ID of the image to use.","operators":[]},{"name":"image_offer","type":"text","description":"Specifies the offer of the platform image or marketplace image used to create the virtual machine.","operators":[]},{"name":"image_publisher","type":"text","description":"Specifies the publisher of the image to use.","operators":[]},{"name":"image_sku","type":"text","description":"Specifies the sku of the image to use.","operators":[]},{"name":"image_version","type":"text","description":"Specifies the version of the platform image or marketplace image used to create the virtual machine.","operators":[]},{"name":"linux_configuration_ssh_public_keys","type":"jsonb","description":"A list of ssh key configuration for a Linux OS","operators":[]},{"name":"managed_disk_id","type":"text","description":"Specifies the ID of the managed disk used by the virtual machine.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the virtual machine.","operators":["="]},{"name":"network_interfaces","type":"jsonb","description":"A list of resource Ids for the network interfaces associated with the virtual machine.","operators":[]},{"name":"os_disk_caching","type":"text","description":"Specifies the caching requirements of the operating system disk used by the virtual machine.","operators":[]},{"name":"os_disk_create_option","type":"text","description":"Specifies how the virtual machine should be created.","operators":[]},{"name":"os_disk_name","type":"text","description":"Specifies the name of the operating system disk used by the virtual machine.","operators":[]},{"name":"os_disk_vhd_uri","type":"text","description":"Specifies the virtual hard disk's uri.","operators":[]},{"name":"os_name","type":"text","description":"The Operating System running on the virtual machine.","operators":[]},{"name":"os_type","type":"text","description":"Specifies the type of the OS that is included in the disk if creating a VM from user-image or a specialized VHD.","operators":[]},{"name":"os_version","type":"text","description":"The version of Operating System running on the virtual machine.","operators":[]},{"name":"patch_settings","type":"jsonb","description":"Specifies settings related to in-guest patching (KBs).","operators":[]},{"name":"power_state","type":"text","description":"Specifies the power state of the VM.","operators":[]},{"name":"priority","type":"text","description":"Specifies the priority for the virtual machine.","operators":[]},{"name":"private_ips","type":"jsonb","description":"An array of private ip addesses associated with the vm.","operators":[]},{"name":"provision_vm_agent","type":"boolean","description":"Specifies whether virtual machine agent should be provisioned on the virtual machine for linux configuration.","operators":[]},{"name":"provision_vm_agent_windows","type":"boolean","description":"Specifies whether virtual machine agent should be provisioned on the virtual machine for windows configuration.","operators":[]},{"name":"provisioning_state","type":"text","description":"The virtual machine provisioning state.","operators":[]},{"name":"public_ips","type":"jsonb","description":"An array of public ip addesses associated with the vm.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"require_guest_provision_signal","type":"boolean","description":"Specifies whether the guest provision signal is required to infer provision success of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"secrets","type":"jsonb","description":"A list of certificates that should be installed onto the virtual machine.","operators":[]},{"name":"security_profile","type":"jsonb","description":"Specifies the security related profile settings for the virtual machine.","operators":[]},{"name":"size","type":"text","description":"Specifies the size of the virtual machine.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"statuses","type":"jsonb","description":"Specifies the resource status information.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"time_created","type":"timestamp with time zone","description":"Specifies the time at which the virtual machine resource was created.","operators":[]},{"name":"time_zone","type":"text","description":"Specifies the time zone of the virtual machine.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure.","operators":[]},{"name":"ultra_ssd_enabled","type":"boolean","description":"Specifies whether managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set, or not.","operators":[]},{"name":"virtual_machine_scale_set","type":"jsonb","description":"Scale set details for virtual machines managed in flexible orchestration mode.","operators":[]},{"name":"vm_id","type":"text","description":"Specifies an unique ID for VM, which is a 128-bits identifier that is encoded and stored in all Azure IaaS VMs SMBIOS and can be read using platform BIOS commands.","operators":[]},{"name":"win_rm","type":"jsonb","description":"Specifies the windows remote management listeners. This enables remote windows powershell.","operators":[]},{"name":"zones","type":"jsonb","description":"A list of virtual machine zones.","operators":[]}],"description":"Azure Compute Virtual Machine","queriesCount":40,"examplesCount":10,"readme":"$3a"},{"name":"azure_compute_virtual_machine_metric_available_memory","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - Memory Available Utilization","queriesCount":0,"examplesCount":0},{"name":"azure_compute_virtual_machine_metric_available_memory_daily","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - Memory Available Utilization (Daily)","queriesCount":0,"examplesCount":0},{"name":"azure_compute_virtual_machine_metric_available_memory_hourly","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - Memory Available Utilization (Hourly)","queriesCount":0,"examplesCount":0},{"name":"azure_compute_virtual_machine_metric_cpu_utilization","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - CPU Utilization","queriesCount":0,"examplesCount":1,"readme":"$3b"},{"name":"azure_compute_virtual_machine_metric_cpu_utilization_daily","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - CPU Utilization (Daily)","queriesCount":0,"examplesCount":1,"readme":"$3c"},{"name":"azure_compute_virtual_machine_metric_cpu_utilization_hourly","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"average","type":"double precision","description":"The average of the metric values that correspond to the data point.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"maximum","type":"double precision","description":"The maximum metric value for the data point.","operators":[]},{"name":"minimum","type":"double precision","description":"The minimum metric value for the data point.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sample_count","type":"double precision","description":"The number of metric values that contributed to the aggregate value of this data point.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sum","type":"double precision","description":"The sum of the metric values for the data point.","operators":[]},{"name":"timestamp","type":"timestamp with time zone","description":"The time stamp used for the data point.","operators":[]},{"name":"unit","type":"text","description":"The units in which the metric value is reported.","operators":[]}],"description":"Azure Compute Virtual Machine Metrics - CPU Utilization (Hourly)","queriesCount":0,"examplesCount":1,"readme":"$3d"},{"name":"azure_compute_virtual_machine_scale_set","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"do_not_run_extensions_on_overprovisioned_vms","type":"boolean","description":"When Overprovision is enabled, extensions are launched only on the requested number of VMs which are finally kept.","operators":[]},{"name":"extensions","type":"jsonb","description":"Specifies the details of VM Scale Set Extensions.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the virtual machine scale set, if configured.","operators":[]},{"name":"location","type":"text","description":"The location of the resource.","operators":[]},{"name":"name","type":"text","description":"Name of the scale set.","operators":["="]},{"name":"orchestration_mode","type":"text","description":"The orchestration mode of the Virtual Machine Scale Set.","operators":[]},{"name":"overprovision","type":"boolean","description":"Specifies whether the Virtual Machine Scale Set should be overprovisioned.","operators":[]},{"name":"plan","type":"jsonb","description":"Specifies information about the marketplace image used to create the virtual machine.","operators":[]},{"name":"platform_fault_domain_count","type":"bigint","description":"Fault Domain count for each placement group.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"scale_in_policy","type":"jsonb","description":"Specifies the scale-in policy that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled-in.","operators":[]},{"name":"single_placement_group","type":"boolean","description":"When true this limits the scale set to a single placement group, of max size 100 virtual machines.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"Specifies the tier of virtual machines in a scale set.","operators":[]},{"name":"sku_name","type":"text","description":"The sku name.","operators":[]},{"name":"sku_tier","type":"text","description":"Specifies the tier of virtual machines in a scale set.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tags_src","type":"jsonb","description":"Resource tags.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure.","operators":[]},{"name":"unique_id","type":"text","description":"Specifies the ID which uniquely identifies a Virtual Machine Scale Set.","operators":[]},{"name":"upgrade_policy","type":"jsonb","description":"The upgrade policy for the scale set.","operators":[]},{"name":"virtual_machine_diagnostics_profile","type":"jsonb","description":"Specifies the boot diagnostic settings state.","operators":[]},{"name":"virtual_machine_extension_profile","type":"jsonb","description":"Specifies a collection of settings for extensions installed on virtual machines in the scale set.","operators":[]},{"name":"virtual_machine_network_profile","type":"jsonb","description":"Specifies properties of the network interfaces of the virtual machines in the scale set.","operators":[]},{"name":"virtual_machine_os_profile","type":"jsonb","description":"Specifies the operating system settings for the virtual machines in the scale set.","operators":[]},{"name":"virtual_machine_security_profile","type":"jsonb","description":"Specifies the Security related profile settings for the virtual machines in the scale set.","operators":[]},{"name":"virtual_machine_storage_profile","type":"jsonb","description":"Specifies the storage settings for the virtual machine disks.","operators":[]},{"name":"zones","type":"jsonb","description":"The Logical zone list for scale set.","operators":[]}],"description":"Azure Compute Virtual Machine Scale Set","queriesCount":6,"examplesCount":1,"readme":"$3e"},{"name":"azure_compute_virtual_machine_scale_set_network_interface","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"dns_settings","type":"jsonb","description":"The DNS settings in network interface.","operators":[]},{"name":"enable_accelerated_networking","type":"boolean","description":"If the network interface has accelerated networking enabled.","operators":[]},{"name":"enable_ip_forwarding","type":"boolean","description":"Indicates whether IP forwarding is enabled on this network interface.","operators":[]},{"name":"hosted_workloads","type":"jsonb","description":"A list of references to linked BareMetal resources.","operators":[]},{"name":"id","type":"text","description":"The unique ID identifying the resource in a subscription.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"A list of IP configurations of the network interface.","operators":[]},{"name":"mac_address","type":"text","description":"The MAC address of the network interface.","operators":[]},{"name":"name","type":"text","description":"Name of the scale set network interface.","operators":[]},{"name":"network_security_group","type":"jsonb","description":"The reference to the NetworkSecurityGroup resource.","operators":[]},{"name":"primary","type":"boolean","description":"Whether this is a primary network interface on a virtual machine.","operators":[]},{"name":"private_endpoint","type":"jsonb","description":"A reference to the private endpoint to which the network interface is linked.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the network interface resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the network interface resource.","operators":[]},{"name":"scale_set_name","type":"text","description":"Name of the scale set.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure.","operators":[]},{"name":"virtual_machine","type":"jsonb","description":"The reference to a virtual machine.","operators":[]}],"description":"Azure Compute Virtual Machine Scale Set Network Interface","queriesCount":0,"examplesCount":3,"readme":"$3f"},{"name":"azure_compute_virtual_machine_scale_set_vm","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"additional_capabilities","type":"jsonb","description":"Specifies additional capabilities enabled or disabled on the virtual machine in the scale set. For instance: whether the virtual machine has the capability to support attaching managed data disks with UltraSSD_LRS storage account type.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"availability_set","type":"jsonb","description":"Specifies information about the availability set that the virtual machine should be assigned to. Virtual machines specified in the same availability set are allocated to different nodes to maximize availability.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"instance_id","type":"text","description":"The virtual machine instance ID.","operators":["="]},{"name":"latest_model_applied","type":"boolean","description":"Specifies whether the latest model has been applied to the virtual machine.","operators":[]},{"name":"license_type","type":"text","description":"Specifies that the image or disk that is being used was licensed on-premises.","operators":[]},{"name":"location","type":"text","description":"The location of the resource.","operators":[]},{"name":"model_definition_applied","type":"text","description":"Specifies whether the model applied to the virtual machine is the model of the virtual machine scale set or the customized model for the virtual machine.","operators":[]},{"name":"name","type":"text","description":"Name of the scale set VM.","operators":[]},{"name":"plan","type":"jsonb","description":"Specifies information about the marketplace image used to create the virtual machine.","operators":[]},{"name":"power_state","type":"text","description":"Specifies the power state of the VM.","operators":[]},{"name":"protection_policy","type":"jsonb","description":"Specifies the protection policy of the virtual machine.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resources","type":"jsonb","description":"The virtual machine child extension resources.","operators":[]},{"name":"scale_set_name","type":"text","description":"Name of the scale set.","operators":["="]},{"name":"sku_capacity","type":"bigint","description":"Specifies the capacity of virtual machines in a scale set virtual machine.","operators":[]},{"name":"sku_name","type":"text","description":"The sku name.","operators":[]},{"name":"sku_tier","type":"text","description":"Specifies the tier of virtual machines in a scale set virtual machine.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tags_src","type":"jsonb","description":"Resource tags.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource in Azure.","operators":[]},{"name":"upgrade_policy","type":"jsonb","description":"The upgrade policy for the scale set.","operators":[]},{"name":"virtual_machine_diagnostics_profile","type":"jsonb","description":"Specifies the boot diagnostic settings state.","operators":[]},{"name":"virtual_machine_hardware_profile","type":"jsonb","description":"Specifies the hardware settings for the virtual machine.","operators":[]},{"name":"virtual_machine_network_profile","type":"jsonb","description":"Specifies properties of the network interfaces of the virtual machines.","operators":[]},{"name":"virtual_machine_network_profile_configuration","type":"jsonb","description":"Specifies the network profile configuration of the virtual machine.","operators":[]},{"name":"virtual_machine_os_profile","type":"jsonb","description":"Specifies the operating system settings for the virtual machines.","operators":[]},{"name":"virtual_machine_security_profile","type":"jsonb","description":"Specifies the Security related profile settings for the virtual machine.","operators":[]},{"name":"virtual_machine_storage_profile","type":"jsonb","description":"SSpecifies the storage settings for the virtual machine disks.","operators":[]},{"name":"vm_id","type":"text","description":"Azure virtual machine unique ID.","operators":[]},{"name":"zones","type":"jsonb","description":"The Logical zone list for scale set.","operators":[]}],"description":"Azure Compute Virtual Machine Scale Set VM","queriesCount":0,"examplesCount":4,"readme":"$40"},{"name":"azure_compute_virtual_machine_size","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"max_data_disk_count","type":"bigint","description":"The maximum number of data disks that can be attached to the virtual machine size.","operators":[]},{"name":"memory_in_mb","type":"bigint","description":"The amount of memory, in MB, supported by the virtual machine size.","operators":[]},{"name":"name","type":"text","description":"The name of the virtual machine size.","operators":[]},{"name":"number_of_cores","type":"bigint","description":"The number of cores supported by the virtual machine size.","operators":[]},{"name":"os_disk_size_in_mb","type":"bigint","description":"The OS disk size, in MB, allowed by the virtual machine size.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_disk_size_in_mb","type":"bigint","description":"The resource disk size, in MB, allowed by the virtual machine size.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Compute Virtual Machine Size","queriesCount":0,"examplesCount":5,"readme":"$41"},{"name":"azure_consumption_usage","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"The etag for the resource.","operators":[]},{"name":"expand","type":"text","description":"May be used to expand the 'properties/additionalInfo' or 'properties/meterDetails' within a list of usage details. By default, these fields are not included when listing usage details.","operators":["="]},{"name":"filter","type":"text","description":"May be used to filter usageDetails by properties/resourceGroup, properties/instanceName, properties/resourceId, properties/chargeType, properties/reservationId, properties/publisherType or tags. The filter supports 'eq', 'lt', 'gt', 'le', 'ge', and 'and'. It does not currently support 'ne', 'or', or 'not'. Tag filter is a key value pair string where key and value is separated by a colon (:). PublisherType Filter accepts two values azure and marketplace and it is currently supported for Web Direct Offer Type.","operators":["="]},{"name":"id","type":"text","description":"The full qualified ARM ID of an event.","operators":[]},{"name":"kind","type":"text","description":"Specifies the kind of usage details.","operators":[]},{"name":"legacy_usage_detail","type":"jsonb","description":"The legacy usage detail.","operators":[]},{"name":"metric","type":"text","description":"Allows to select different type of cost/usage records. Possible values are 'actualcost', 'amortizedcost' or 'usage'.","operators":["="]},{"name":"modern_usage_detail","type":"jsonb","description":"The modern usage detail.","operators":[]},{"name":"name","type":"text","description":"The ID that uniquely identifies an event.","operators":[]},{"name":"scope","type":"text","description":"The scope associated with usage details operations.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Consumption Usage","queriesCount":0,"examplesCount":4,"readme":"$42"},{"name":"azure_container_group","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"containers","type":"jsonb","description":"The containers within the container group.","operators":[]},{"name":"diagnostics","type":"jsonb","description":"The diagnostic information for a container group.","operators":[]},{"name":"dns_config","type":"jsonb","description":"The DNS config information for a container group.","operators":[]},{"name":"encryption_properties","type":"jsonb","description":"The encryption settings of container registry.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the container group.","operators":[]},{"name":"image_registry_credentials","type":"jsonb","description":"The image registry credentials by which the container group is created from.","operators":[]},{"name":"init_containers","type":"jsonb","description":"The init containers for a container group.","operators":[]},{"name":"instance_view","type":"jsonb","description":"The instance view of the container group. Only valid in response.","operators":[]},{"name":"ip_address","type":"jsonb","description":"The IP address type of the container group.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"os_type","type":"text","description":"The operating system type required by the containers in the container group. Possible values include: 'OperatingSystemTypesWindows', 'OperatingSystemTypesLinux'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the container group. This only appears in the response.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restart_policy","type":"text","description":"Restart policy for all containers within the container group. Possible values include: 'ContainerGroupRestartPolicyAlways', 'ContainerGroupRestartPolicyOnFailure', 'ContainerGroupRestartPolicyNever'.","operators":[]},{"name":"sku","type":"text","description":"The SKU for a container group. Possible values include: 'ContainerGroupSkuStandard', 'ContainerGroupSkuDedicated'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnet_ids","type":"jsonb","description":"The subnet resource IDs for a container group.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"volumes","type":"jsonb","description":"The instance view of the container group. Only valid in response.","operators":[]}],"description":"Azure Container Group","queriesCount":4,"examplesCount":6,"readme":"$43"},{"name":"azure_container_registry","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"admin_user_enabled","type":"boolean","description":"Indicates whether the admin user is enabled, or not.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_date","type":"timestamp with time zone","description":"The creation date of the container registry.","operators":[]},{"name":"data_endpoint_enabled","type":"boolean","description":"Enable a single data endpoint per region for serving data.","operators":[]},{"name":"data_endpoint_host_names","type":"jsonb","description":"A list of host names that will serve data when dataEndpointEnabled is true.","operators":[]},{"name":"encryption","type":"jsonb","description":"The encryption settings of container registry.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the container registry.","operators":[]},{"name":"login_credentials","type":"jsonb","description":"The login credentials for the specified container registry.","operators":[]},{"name":"login_server","type":"text","description":"The URL that can be used to log into the container registry.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_rule_bypass_options","type":"text","description":"Indicates whether to allow trusted Azure services to access a network restricted registry. Valid values are: 'AzureServices', 'None'.","operators":[]},{"name":"network_rule_set","type":"jsonb","description":"The network rule set for a container registry.","operators":[]},{"name":"policies","type":"jsonb","description":"The policies for a container registry.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connections for a container registry.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the container registry at the time the operation was called. Valid values are: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Failed', 'Canceled'.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public network access is allowed for the container registry. Valid values are: 'Enabled', 'Disabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"The SKU name of the container registry. Required for registry creation. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'.","operators":[]},{"name":"sku_tier","type":"text","description":"The SKU tier based on the SKU name. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"The current status of the resource.","operators":[]},{"name":"status_message","type":"text","description":"The detailed message for the status, including alerts and error messages.","operators":[]},{"name":"status_timestamp","type":"timestamp with time zone","description":"The timestamp when the status was changed to the current value.","operators":[]},{"name":"storage_account_id","type":"text","description":"The resource ID of the storage account. Only applicable to Classic SKU.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"Metadata pertaining to creation and last modification of the resource.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"usages","type":"jsonb","description":"Specifies the quota usages for the specified container registry.","operators":[]},{"name":"webhooks","type":"jsonb","description":"Webhooks in Azure Container Registry provide a way to trigger custom actions in response to events happening within the registry.","operators":[]},{"name":"zone_redundancy","type":"text","description":"Indicates whether or not zone redundancy is enabled for this container registry. Valid values are: 'Enabled', 'Disabled'.","operators":[]}],"description":"Azure Container Registry","queriesCount":10,"examplesCount":4,"readme":"$44"},{"name":"azure_cosmosdb_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backup_policy","type":"jsonb","description":"The object representing the policy for taking backups on an account.","operators":[]},{"name":"capabilities","type":"jsonb","description":"A list of Cosmos DB capabilities for the account.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"connector_offer","type":"text","description":"The cassandra connector offer type for the Cosmos DB database C* account.","operators":[]},{"name":"consistency_policy_max_interval","type":"bigint","description":"The time amount of staleness (in seconds) tolerated, when used with the Bounded Staleness consistency level.","operators":[]},{"name":"consistency_policy_max_staleness_prefix","type":"bigint","description":"The number of stale requests tolerated, when used with the Bounded Staleness consistency level.","operators":[]},{"name":"cors","type":"jsonb","description":"A list of CORS policy for the Cosmos DB database account.","operators":[]},{"name":"database_account_offer_type","type":"text","description":"The offer type for the Cosmos DB database account.","operators":[]},{"name":"default_consistency_level","type":"text","description":"The default consistency level and configuration settings of the Cosmos DB account.","operators":[]},{"name":"disable_key_based_metadata_write_access","type":"boolean","description":"Disable write operations on metadata resources (databases, containers, throughput) via account keys.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"Disable local authentication and ensure only MSI and AAD can be used exclusively for authentication. Defaults to false.","operators":[]},{"name":"document_endpoint","type":"text","description":"The connection endpoint for the Cosmos DB database account.","operators":[]},{"name":"enable_analytical_storage","type":"boolean","description":"Specifies whether to enable storage analytics, or not.","operators":[]},{"name":"enable_automatic_failover","type":"boolean","description":"Enables automatic failover of the write region in the rare event that the region is unavailable due to an outage.","operators":[]},{"name":"enable_cassandra_connector","type":"boolean","description":"Enables the cassandra connector on the Cosmos DB C* account.","operators":[]},{"name":"enable_free_tier","type":"boolean","description":"Specifies whether free Tier is enabled for Cosmos DB database account, or not.","operators":[]},{"name":"enable_multiple_write_locations","type":"boolean","description":"Enables the account to write in multiple locations.","operators":[]},{"name":"failover_policies","type":"jsonb","description":"A list of regions ordered by their failover priorities.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a database account uniquely.","operators":[]},{"name":"ip_rules","type":"jsonb","description":"A list of IP rules.","operators":[]},{"name":"is_virtual_network_filter_enabled","type":"boolean","description":"Specifies whether to enable/disable Virtual Network ACL rules.","operators":[]},{"name":"key_vault_key_uri","type":"text","description":"The URI of the key vault, used to encrypt the Cosmos DB database account.","operators":[]},{"name":"kind","type":"text","description":"Indicates the type of database account.","operators":[]},{"name":"locations","type":"jsonb","description":"A list of all locations that are enabled for the Cosmos DB account.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the database account.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of Private Endpoint Connections configured for the Cosmos DB account.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the database account resource.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether requests from Public Network are allowed.","operators":[]},{"name":"read_locations","type":"jsonb","description":"A list of read locations enabled for the Cosmos DB account.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_parameters","type":"jsonb","description":"Parameters to indicate the information about the restore.","operators":[]},{"name":"server_version","type":"text","description":"Describes the ServerVersion of an a MongoDB account.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"virtual_network_rules","type":"jsonb","description":"A list of Virtual Network ACL rules configured for the Cosmos DB account.","operators":[]},{"name":"write_locations","type":"jsonb","description":"A list of write locations enabled for the Cosmos DB account.","operators":[]}],"description":"Azure Cosmos DB Account","queriesCount":7,"examplesCount":8,"readme":"$45"},{"name":"azure_cosmosdb_mongo_collection","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The friendly name that identifies the cosmosdb account in which the collection is created.","operators":["="]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"analytical_storage_ttl","type":"bigint","description":"Analytical TTL.","operators":[]},{"name":"autoscale_settings_max_throughput","type":"bigint","description":"Contains maximum throughput, the resource can scale up to.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"collection_etag","type":"text","description":"A system generated property representing the resource etag required for optimistic concurrency control.","operators":[]},{"name":"collection_id","type":"text","description":"Name of the Cosmos DB MongoDB collection.","operators":[]},{"name":"collection_rid","type":"text","description":"A system generated unique identifier for collection.","operators":[]},{"name":"collection_ts","type":"bigint","description":"A system generated property that denotes the last updated timestamp of the resource.","operators":[]},{"name":"database_name","type":"text","description":"The friendly name that identifies the database in which the collection is created.","operators":["="]},{"name":"id","type":"text","description":"Contains ID to identify a Mongo DB collection uniquely.","operators":[]},{"name":"indexes","type":"jsonb","description":"List of index keys.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the Mongo DB collection.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"shard_key","type":"jsonb","description":"A key-value pair of shard keys to be applied for the request.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"throughput","type":"bigint","description":"Contains the value of the Cosmos DB resource throughput.","operators":[]},{"name":"throughput_settings","type":"jsonb","description":"Contains the Cosmos DB resource throughput or autoscaleSettings.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Cosmos DB Mongo Collection","queriesCount":0,"examplesCount":3,"readme":"$46"},{"name":"azure_cosmosdb_mongo_database","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The friendly name that identifies the database account in which the database is created.","operators":["="]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"autoscale_settings_max_throughput","type":"bigint","description":"Contains maximum throughput, the resource can scale up to.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"database_etag","type":"text","description":"A system generated property representing the resource etag required for optimistic concurrency control.","operators":[]},{"name":"database_id","type":"text","description":"Name of the Cosmos DB MongoDB database.","operators":[]},{"name":"database_rid","type":"text","description":"A system generated unique identifier for database.","operators":[]},{"name":"database_ts","type":"bigint","description":"A system generated property that denotes the last updated timestamp of the resource.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a Mongo DB database uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the Mongo DB database.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"throughput","type":"bigint","description":"Contains the value of the Cosmos DB resource throughput or autoscaleSettings.","operators":[]},{"name":"throughput_settings","type":"jsonb","description":"Contains the value of the Cosmos DB resource throughput or autoscaleSettings.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Cosmos DB Mongo Database","queriesCount":0,"examplesCount":2,"readme":"$47"},{"name":"azure_cosmosdb_restorable_database_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The name of the global database account.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"api_type","type":"text","description":"The API type of the restorable database account.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The creation time of the restorable database account.","operators":[]},{"name":"deletion_time","type":"timestamp with time zone","description":"The time at which the restorable database account has been deleted.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a restorable database account uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the restorable database account.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"restorable_locations","type":"jsonb","description":"List of regions where the database account can be restored from.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Cosmos DB Restorable Database Account","queriesCount":0,"examplesCount":3,"readme":"$48"},{"name":"azure_cosmosdb_sql_database","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The friendly name that identifies the database account in which the database is created.","operators":["="]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"autoscale_settings_max_throughput","type":"bigint","description":"Contains maximum throughput, the resource can scale up to.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"database_colls","type":"text","description":"A system generated property that specified the addressable path of the collections resource.","operators":[]},{"name":"database_etag","type":"text","description":"A system generated property representing the resource etag required for optimistic concurrency control.","operators":[]},{"name":"database_id","type":"text","description":"Name of the Cosmos DB SQL database.","operators":[]},{"name":"database_rid","type":"text","description":"A system generated unique identifier for database.","operators":[]},{"name":"database_ts","type":"bigint","description":"A system generated property that denotes the last updated timestamp of the resource.","operators":[]},{"name":"database_users","type":"text","description":"A system generated property that specifies the addressable path of the users resource.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a sql database uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the sql database.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"throughput","type":"bigint","description":"Contains the value of the Cosmos DB resource throughput or autoscaleSettings.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Cosmos DB SQL Database","queriesCount":0,"examplesCount":2,"readme":"$49"},{"name":"azure_data_factory","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"additional_properties","type":"jsonb","description":"Unmatched properties from the message are deserialized this collection.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_time","type":"timestamp with time zone","description":"Specifies the time, the factory was created.","operators":[]},{"name":"encryption","type":"jsonb","description":"Properties to enable Customer Managed Key for the factory.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"global_parameters","type":"jsonb","description":"List of parameters for factory.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"Managed service identity of the factory.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections for data factory.","operators":[]},{"name":"provisioning_state","type":"text","description":"Factory provisioning state, example Succeeded.","operators":[]},{"name":"public_network_access","type":"text","description":"Whether or not public network access is allowed for the data factory.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"repo_configuration","type":"jsonb","description":"Git repo information of the factory.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"version","type":"text","description":"Version of the factory.","operators":[]}],"description":"Azure Data Factory","queriesCount":4,"examplesCount":2,"readme":"$4a"},{"name":"azure_data_factory_dataset","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"factory_name","type":"text","description":"Name of the factory the dataset belongs.","operators":["="]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"properties","type":"jsonb","description":"Dataset properties.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Data Factory Dataset","queriesCount":0,"examplesCount":1,"readme":"$4b"},{"name":"azure_data_factory_pipeline","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"activities","type":"jsonb","description":"A list of activities in pipeline.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"annotations","type":"jsonb","description":"A list of tags that can be used for describing the Pipeline.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"concurrency","type":"bigint","description":"The max number of concurrent runs for the pipeline.","operators":[]},{"name":"description","type":"text","description":"The description of the pipeline.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"factory_name","type":"text","description":"Name of the factory the pipeline belongs.","operators":["="]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"parameters","type":"jsonb","description":"A list of parameters for pipeline.","operators":[]},{"name":"pipeline_folder","type":"text","description":"The folder that this Pipeline is in. If not specified, Pipeline will appear at the root level.","operators":[]},{"name":"pipeline_policy","type":"jsonb","description":"Pipeline ElapsedTime Metric Policy.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"run_dimensions","type":"jsonb","description":"Dimensions emitted by Pipeline.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"variables","type":"jsonb","description":"A list of variables for pipeline.","operators":[]}],"description":"Azure Data Factory Pipeline","queriesCount":0,"examplesCount":0,"readme":"$4c"},{"name":"azure_data_lake_analytics_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_id","type":"text","description":"The unique identifier associated with this data lake analytics account.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"compute_policies","type":"jsonb","description":"The list of compute policies associated with this data lake analytics account.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The data lake analytics account creation time.","operators":[]},{"name":"current_tier","type":"text","description":"The commitment tier in use for current month.","operators":[]},{"name":"data_lake_store_accounts","type":"jsonb","description":"The list of data lake store accounts associated with this data lake analytics account.","operators":[]},{"name":"default_data_lake_store_account","type":"text","description":"The default data lake store account associated with this data lake analytics account.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the data lake analytics account.","operators":[]},{"name":"endpoint","type":"text","description":"The full cname endpoint for this data lake analytics account.","operators":[]},{"name":"firewall_allow_azure_ips","type":"jsonb","description":"The current state of allowing or disallowing IPs originating within azure through the firewall. If the firewall is disabled, this is not enforced.","operators":[]},{"name":"firewall_rules","type":"jsonb","description":"The list of firewall rules associated with this data lake analytics account.","operators":[]},{"name":"firewall_state","type":"text","description":"The current state of the IP address firewall for this data lake analytics account.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"The data lake analytics account last modified time.","operators":[]},{"name":"max_degree_of_parallelism","type":"bigint","description":"The maximum supported degree of parallelism for this data lake analytics account.","operators":[]},{"name":"max_degree_of_parallelism_per_job","type":"bigint","description":"The maximum supported degree of parallelism per job for this data lake analytics account.","operators":[]},{"name":"max_job_count","type":"bigint","description":"The maximum supported jobs running under the data lake analytics account at the same time.","operators":[]},{"name":"min_priority_per_job","type":"bigint","description":"The minimum supported priority per job for this data lake analytics account.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"new_tier","type":"text","description":"The commitment tier to use for next month.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning status of the data lake analytics account.","operators":[]},{"name":"query_store_retention","type":"bigint","description":"The number of days that job metadata is retained.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the data lake analytics account.","operators":[]},{"name":"storage_accounts","type":"jsonb","description":"The list of azure blob storage accounts associated with this data lake analytics account.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_max_degree_of_parallelism","type":"bigint","description":"The system defined maximum supported degree of parallelism for this account, which restricts the maximum value of parallelism the user can set for the data lake analytics account.","operators":[]},{"name":"system_max_job_count","type":"bigint","description":"The system defined maximum supported jobs running under the account at the same time, which restricts the maximum number of running jobs the user can set for the data lake analytics account.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Data Lake Analytics account","queriesCount":1,"examplesCount":2,"readme":"$4d"},{"name":"azure_data_lake_store","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_id","type":"text","description":"The unique identifier associated with this data lake store account.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The account creation time.","operators":[]},{"name":"current_tier","type":"text","description":"The commitment tier in use for current month.","operators":[]},{"name":"default_group","type":"text","description":"The default owner group for all new folders and files created in the data lake store account.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the data lake store.","operators":[]},{"name":"encryption_config","type":"jsonb","description":"The key vault encryption configuration.","operators":[]},{"name":"encryption_provisioning_state","type":"text","description":"The current state of encryption provisioning for this data lake store account.","operators":[]},{"name":"encryption_state","type":"text","description":"The current state of encryption for this data lake store account.","operators":[]},{"name":"endpoint","type":"text","description":"The full cname endpoint for this account.","operators":[]},{"name":"firewall_allow_azure_ips","type":"jsonb","description":"The current state of allowing or disallowing IPs originating within azure through the firewall. If the firewall is disabled, this is not enforced.","operators":[]},{"name":"firewall_rules","type":"jsonb","description":"The list of firewall rules associated with this data lake store account.","operators":[]},{"name":"firewall_state","type":"text","description":"The current state of the IP address firewall for this data lake store account.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"The key vault encryption identity, if any.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"The account last modified time.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"new_tier","type":"text","description":"The commitment tier to use for next month.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning status of the data lake store account.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the data lake store account.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"trusted_id_provider_state","type":"text","description":"The current state of the trusted identity provider feature for this data lake store account.","operators":[]},{"name":"trusted_id_providers","type":"jsonb","description":"The list of trusted identity providers associated with this data lake store account.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"virtual_network_rules","type":"jsonb","description":"The list of virtual network rules associated with this data lake store account.","operators":[]}],"description":"Azure Data Lake Store","queriesCount":2,"examplesCount":2,"readme":"$4e"},{"name":"azure_data_protection_backup_job","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"activity_id","type":"text","description":"Job Activity Id.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backup_instance_friendly_name","type":"text","description":"Name of the Backup Instance.","operators":[]},{"name":"backup_instance_id","type":"text","description":"ARM ID of the Backup Instance.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"data_source_id","type":"text","description":"ARM ID of the DataSource.","operators":[]},{"name":"data_source_location","type":"text","description":"Location of the DataSource.","operators":[]},{"name":"data_source_name","type":"text","description":"User Friendly Name of the DataSource.","operators":[]},{"name":"data_source_set_name","type":"text","description":"Data Source Set Name of the DataSource.","operators":[]},{"name":"data_source_type","type":"text","description":"Type of DataSource.","operators":[]},{"name":"destination_data_store_name","type":"text","description":"Destination Data Store Name.","operators":[]},{"name":"duration","type":"text","description":"Total run time of the job. ISO 8601 format.","operators":[]},{"name":"end_time","type":"timestamp with time zone","description":"EndTime of the job (in UTC).","operators":[]},{"name":"error_details","type":"jsonb","description":"A List, detailing the errors related to the job.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"extended_info","type":"jsonb","description":"Extended Information about the job.","operators":[]},{"name":"id","type":"text","description":"Resource ID represents the complete path to the resource.","operators":[]},{"name":"is_user_triggered","type":"boolean","description":"Indicates whether the job is adhoc(true) or scheduled(false).","operators":[]},{"name":"name","type":"text","description":"Resource name associated with the resource.","operators":[]},{"name":"operation","type":"text","description":"Type of Job i.e. Backup:full/log/diff ;Restore:ALR/OLR; Tiering:Backup/Archive ; Management:ConfigureProtection/UnConfigure.","operators":[]},{"name":"operation_category","type":"text","description":"Indicates the type of Job i.e. Backup/Restore/Tiering/Management.","operators":[]},{"name":"policy_id","type":"text","description":"ARM ID of the policy.","operators":[]},{"name":"policy_name","type":"text","description":"Name of the policy.","operators":[]},{"name":"progress_enabled","type":"boolean","description":"Indicates whether progress is enabled for the job.","operators":[]},{"name":"progress_url","type":"text","description":"Url which contains job's progress.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_type","type":"text","description":"Indicates the sub type of operation i.e. in case of Restore it can be ALR/OLR.","operators":[]},{"name":"source_data_store_name","type":"text","description":"Source Data Store Name.","operators":[]},{"name":"source_resource_group","type":"text","description":"Resource Group Name of the Datasource.","operators":[]},{"name":"source_subscription_id","type":"text","description":"SubscriptionId corresponding to the DataSource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_time","type":"timestamp with time zone","description":"StartTime of the job (in UTC).","operators":[]},{"name":"status","type":"text","description":"Status of the job like InProgress/Success/Failed/Cancelled/SuccessWithWarning.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"supported_actions","type":"jsonb","description":"List of supported actions.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Resource type represents the complete path of the form Namespace/ResourceType/ResourceType/...","operators":[]},{"name":"vault_name","type":"text","description":"The data protection vault name.","operators":["="]}],"description":"Azure Data Protection Backup Job","queriesCount":0,"examplesCount":7,"readme":"$4f"},{"name":"azure_data_protection_backup_vault","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"Input Managed Identity Details.","operators":[]},{"name":"location","type":"text","description":"The location of the backup vault.","operators":[]},{"name":"monitoring_settings","type":"jsonb","description":"The Monitoring Settings.","operators":[]},{"name":"name","type":"text","description":"The name of the backup vault.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the backup vault resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region where the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group in which the resource is located.","operators":["="]},{"name":"resource_move_details","type":"jsonb","description":"Details of the resource move for the backup vault.","operators":[]},{"name":"resource_move_state","type":"text","description":"The resource move state for the backup vault.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_settings","type":"jsonb","description":"The storage settings of the backup vault.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"Metadata pertaining to creation and last modification of the resource.","operators":[]},{"name":"tags","type":"jsonb","description":"Tags associated with the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Data Protection Backup Vault","queriesCount":0,"examplesCount":5,"readme":"$50"},{"name":"azure_databox_edge_device","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"configured_role_types","type":"jsonb","description":"Type of compute roles configured.","operators":[]},{"name":"culture","type":"text","description":"The Data Box Edge/Gateway device culture.","operators":[]},{"name":"data_box_edge_device_status","type":"text","description":"The status of the Data Box Edge/Gateway device. Possible values include: 'ReadyToSetup', 'Online', 'Offline', 'NeedsAttention', 'Disconnected', 'PartiallyDisconnected', 'Maintenance'.","operators":[]},{"name":"description","type":"text","description":"he Description of the Data Box Edge/Gateway device.","operators":[]},{"name":"device_hcs_version","type":"text","description":"The device software version number of the device (eg: 1.2.18105.6).","operators":[]},{"name":"device_local_capacity","type":"bigint","description":"The Data Box Edge/Gateway device local capacity in MB.","operators":[]},{"name":"device_model","type":"text","description":"The Data Box Edge/Gateway device model.","operators":[]},{"name":"device_software_version","type":"text","description":"The Data Box Edge/Gateway device software version.","operators":[]},{"name":"device_type","type":"text","description":"The type of the Data Box Edge/Gateway device. Possible values include: 'DataBoxEdgeDevice'.","operators":[]},{"name":"etag","type":"text","description":"The etag for the devices.","operators":[]},{"name":"friendly_name","type":"text","description":"The Data Box Edge/Gateway device name.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"location","type":"text","description":"The location of the device. This is a supported and registered Azure geographical region (for example, West US, East US, or Southeast Asia). The geographical region of a device cannot be changed once it is created, but if an identical geographical region is specified on update, the request will succeed.","operators":[]},{"name":"model_description","type":"text","description":"The description of the Data Box Edge/Gateway device model.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"node_count","type":"bigint","description":"The number of nodes in the cluster.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"serial_number","type":"text","description":"The Serial Number of Data Box Edge/Gateway device.","operators":[]},{"name":"sku_name","type":"text","description":"SKU name of the resource. Possible values include: 'Gateway', 'Edge'.","operators":[]},{"name":"sku_tier","type":"text","description":"The SKU tier. This is based on the SKU name. Possible values include: 'Standard'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"time_zone","type":"text","description":"The Data Box Edge/Gateway device timezone.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Data Box Edge Device","queriesCount":1,"examplesCount":1,"readme":"$51"},{"name":"azure_databricks_workspace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authorizations","type":"jsonb","description":"The workspace provider authorizations.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_by","type":"jsonb","description":"Indicates the Object ID, PUID and Application ID of entity that created the workspace.","operators":[]},{"name":"created_date_time","type":"timestamp with time zone","description":"Specifies the date and time when the workspace is created.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"location","type":"text","description":"The geo-location where the resource lives.","operators":[]},{"name":"managed_resource_group_id","type":"text","description":"The managed resource group ID.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"parameters","type":"jsonb","description":"The workspace's custom parameters.","operators":[]},{"name":"provisioning_state","type":"text","description":"The workspace provisioning state.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku","type":"jsonb","description":"The SKU of the resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_identity","type":"jsonb","description":"The details of Managed Identity of Storage Account","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"ui_definition_uri","type":"text","description":"The blob URI where the UI definition file is located.","operators":[]},{"name":"updated_by","type":"jsonb","description":"Indicates the Object ID, PUID and Application ID of entity that last updated the workspace.","operators":[]},{"name":"workspace_id","type":"text","description":"The unique identifier of the databricks workspace in databricks control plane.","operators":[]},{"name":"workspace_url","type":"text","description":"The workspace URL which is of the format 'adb-{workspaceId}.{random}.azuredatabricks.net'.","operators":[]}],"description":"Azure Databricks Workspace","queriesCount":0,"examplesCount":4,"readme":"$52"},{"name":"azure_diagnostic_setting","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"event_hub_authorization_rule_id","type":"text","description":"The resource Id for the event hub authorization rule.","operators":[]},{"name":"event_hub_name","type":"text","description":"The name of the event hub.","operators":[]},{"name":"id","type":"text","description":"The resource Id.","operators":[]},{"name":"log_analytics_destination_type","type":"text","description":"A string indicating whether the export to Log Analytics should use the default destinatio type.","operators":[]},{"name":"logs","type":"jsonb","description":"The list of logs settings.","operators":[]},{"name":"metrics","type":"jsonb","description":"The list of metric settings.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"service_bus_rule_id","type":"text","description":"The service bus rule Id of the diagnostic setting.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_id","type":"text","description":"The resource ID of the storage account to which you would like to send Diagnostic Logs.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"workspace_id","type":"text","description":"The full ARM resource ID of the Log Analytics workspace to which you would like to send Diagnostic Logs.","operators":[]}],"description":"Azure Diagnostic Setting","queriesCount":1,"examplesCount":4,"readme":"$53"},{"name":"azure_dns_zone","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a DNS zone uniquely.","operators":[]},{"name":"max_number_of_record_sets","type":"bigint","description":"The maximum number of record sets that can be created in this DNS zone.","operators":[]},{"name":"max_number_of_records_per_record_set","type":"bigint","description":"The maximum number of records per record set that can be created in this DNS zone.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the DNS zone.","operators":["="]},{"name":"name_servers","type":"jsonb","description":"The name servers for this DNS zone.","operators":[]},{"name":"number_of_record_sets","type":"bigint","description":"The current number of record sets in this DNS zone.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"registration_virtual_networks","type":"jsonb","description":"A list of references to virtual networks that register hostnames in this DNS zone.","operators":[]},{"name":"resolution_virtual_networks","type":"jsonb","description":"A list of references to virtual networks that resolve records in this DNS zone.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the DNS zone.","operators":[]},{"name":"zone_type","type":"text","description":"The type of this DNS zone (always `Public`, see `azure_private_dns_zone` table for private DNS zones).","operators":[]}],"description":"Azure DNS Zone","queriesCount":0,"examplesCount":2,"readme":"$54"},{"name":"azure_eventgrid_domain","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auto_create_topic_with_first_subscription","type":"boolean","description":"This Boolean is used to specify the creation mechanism for 'all' the event grid domain topics associated with this event grid domain resource.","operators":[]},{"name":"auto_delete_topic_with_last_subscription","type":"boolean","description":"This Boolean is used to specify the deletion mechanism for 'all' the Event Grid Domain Topics associated with this Event Grid Domain resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The timestamp of resource creation (UTC).","operators":[]},{"name":"created_by","type":"text","description":"The identity that created the resource.","operators":[]},{"name":"created_by_type","type":"text","description":"The type of identity that created the resource.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the eventgrid domain.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"This boolean is used to enable or disable local auth. Default value is false. When the property is set to true, only AAD token will be used to authenticate if user is allowed to publish to the domain.","operators":[]},{"name":"endpoint","type":"text","description":"Endpoint for the Event Grid Domain Resource which is used for publishing the events.","operators":[]},{"name":"id","type":"text","description":"Fully qualified identifier of the resource.","operators":[]},{"name":"identity_type","type":"text","description":"The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identity. Possible values include: 'None', 'SystemAssigned', 'UserAssigned', 'SystemAssignedUserAssigned'.","operators":[]},{"name":"inbound_ip_rules","type":"jsonb","description":"This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled.","operators":[]},{"name":"input_schema","type":"text","description":"This determines the format that Event Grid should expect for incoming events published to the Event Grid Domain Resource. Possible values include: 'EventGridSchema', 'CustomEventSchema', 'CloudEventSchemaV10'.","operators":[]},{"name":"input_schema_mapping","type":"jsonb","description":"Information about the InputSchemaMapping which specified the info about mapping event payload.","operators":[]},{"name":"last_modified_at","type":"timestamp with time zone","description":"The timestamp of resource last modification (UTC).","operators":[]},{"name":"last_modified_by","type":"text","description":"The identity that last modified the resource.","operators":[]},{"name":"last_modified_by_type","type":"text","description":"The type of identity that last modified the resource.","operators":[]},{"name":"location","type":"text","description":"Location of the resource.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"principal_id","type":"text","description":"The principal ID of resource identity.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the event grid domain resource. Possible values include: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Canceled', 'Failed'.","operators":[]},{"name":"public_network_access","type":"text","description":"This determines if traffic is allowed over public network. By default it is enabled.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"Name of this SKU. Possible values include: 'Basic', 'Standard'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"user_assigned_identities","type":"jsonb","description":"The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids.","operators":[]}],"description":"Azure Event Grid Domain","queriesCount":4,"examplesCount":2,"readme":"$55"},{"name":"azure_eventgrid_topic","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The timestamp of resource creation (UTC).","operators":[]},{"name":"created_by","type":"text","description":"The identity that created the resource.","operators":[]},{"name":"created_by_type","type":"text","description":"The type of identity that created the resource.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the eventgrid topic.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"This boolean is used to enable or disable local auth. Default value is false. When the property is set to true, only AAD token will be used to authenticate if user is allowed to publish to the topic.","operators":[]},{"name":"endpoint","type":"text","description":"Endpoint for the event grid topic resource which is used for publishing the events.","operators":[]},{"name":"extended_location","type":"jsonb","description":"Extended location of the resource.","operators":[]},{"name":"id","type":"text","description":"Fully qualified identifier of the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"Identity information for the resource.","operators":[]},{"name":"inbound_ip_rules","type":"jsonb","description":"This can be used to restrict traffic from specific IPs instead of all IPs. Note: These are considered only if PublicNetworkAccess is enabled.","operators":[]},{"name":"input_schema","type":"text","description":"This determines the format that event grid should expect for incoming events published to the event grid topic resource. Possible values include: 'EventGridSchema', 'CustomEventSchema', 'CloudEventSchemaV10'.","operators":[]},{"name":"input_schema_mapping","type":"jsonb","description":"Information about the InputSchemaMapping which specified the info about mapping event payload.","operators":[]},{"name":"kind","type":"text","description":"Kind of the resource.","operators":[]},{"name":"last_modified_at","type":"timestamp with time zone","description":"The timestamp of resource last modification (UTC).","operators":[]},{"name":"last_modified_by","type":"text","description":"The identity that last modified the resource.","operators":[]},{"name":"last_modified_by_type","type":"text","description":"The type of identity that last modified the resource.","operators":[]},{"name":"location","type":"text","description":"Location of the resource.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections for the event grid topic.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the event grid topic resource. Possible values include: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Canceled', 'Failed'.","operators":[]},{"name":"public_network_access","type":"text","description":"This determines if traffic is allowed over public network. By default it is enabled.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"Name of this SKU. Possible values include: 'Basic', 'Standard'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Event Grid Topic","queriesCount":2,"examplesCount":2,"readme":"$56"},{"name":"azure_eventhub_namespace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cluster_arm_id","type":"text","description":"Cluster ARM ID of the namespace.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The time the namespace was created.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the eventhub namespace.","operators":[]},{"name":"encryption","type":"jsonb","description":"Properties of BYOK encryption description.","operators":[]},{"name":"id","type":"text","description":"The ID of the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"Describes the properties of BYOK encryption description.","operators":[]},{"name":"is_auto_inflate_enabled","type":"boolean","description":"Indicates whether auto-inflate is enabled for eventhub namespace.","operators":[]},{"name":"kafka_enabled","type":"boolean","description":"Indicates whether kafka is enabled for eventhub namespace, or not.","operators":[]},{"name":"maximum_throughput_units","type":"bigint","description":"Upper limit of throughput units when auto-inflate is enabled, value should be within 0 to 20 throughput units.","operators":[]},{"name":"metric_id","type":"text","description":"Identifier for azure insights metrics.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_rule_set","type":"jsonb","description":"Describes the network rule set for specified namespace. The EventHub Namespace must be Premium in order to attach a EventHub Namespace Network Rule Set.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"The private endpoint connections of the namespace.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the namespace.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_bus_endpoint","type":"text","description":"Endpoint you can use to perform service bus operations.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"The Event Hubs throughput units, value should be 0 to 20 throughput units.","operators":[]},{"name":"sku_name","type":"text","description":"Name of this SKU. Possible values include: 'Basic', 'Standard'.","operators":[]},{"name":"sku_tier","type":"text","description":"The billing tier of this particular SKU. Valid values are: 'Basic', 'Standard', 'Premium'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"updated_at","type":"timestamp with time zone","description":"The time the namespace was updated.","operators":[]},{"name":"zone_redundant","type":"boolean","description":"Enabling this property creates a standard event hubs namespace in regions supported availability zones.","operators":[]}],"description":"Azure Event Hub Namespace","queriesCount":4,"examplesCount":4,"readme":"$57"},{"name":"azure_express_route_circuit","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allow_classic_operations","type":"boolean","description":"Allow classic operations.","operators":[]},{"name":"authorizations","type":"jsonb","description":"The list of authorizations.","operators":[]},{"name":"bandwidth_in_gbps","type":"double precision","description":"The bandwidth of the circuit when the circuit is provisioned on an ExpressRoutePort resource.","operators":[]},{"name":"circuit_provisioning_state","type":"text","description":"The CircuitProvisioningState state of the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"express_route_port","type":"jsonb","description":"The reference to the ExpressRoutePort resource when the circuit is provisioned on an ExpressRoutePort resource.","operators":[]},{"name":"global_reach_enabled","type":"boolean","description":"Flag denoting global reach status.","operators":[]},{"name":"id","type":"text","description":"Resource ID.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the circuit.","operators":["="]},{"name":"peerings","type":"jsonb","description":"The list of peerings.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the express route circuit resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_key","type":"text","description":"The ServiceKey.","operators":[]},{"name":"service_provider_notes","type":"text","description":"The ServiceProviderNotes.","operators":[]},{"name":"service_provider_properties","type":"jsonb","description":"The ServiceProviderProperties.","operators":[]},{"name":"service_provider_provisioning_state","type":"text","description":"The ServiceProviderProvisioningState state of the resource. Possible values include: 'NotProvisioned', 'Provisioning', 'Provisioned', 'Deprovisioning'.","operators":[]},{"name":"sku_family","type":"text","description":"The family of the SKU. Possible values include: 'UnlimitedData', 'MeteredData'.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the SKU.","operators":[]},{"name":"sku_tier","type":"text","description":"The tier of the SKU. Possible values include: 'Standard', 'Premium', 'Basic', 'Local'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Express Route Circuit","queriesCount":0,"examplesCount":2,"readme":"$58"},{"name":"azure_firewall","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"additional_properties","type":"jsonb","description":"A collection of additional properties used to further config this azure firewall","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"application_rule_collections","type":"jsonb","description":"A collection of application rule collections used by Azure Firewall","operators":[]},{"name":"availability_zones","type":"jsonb","description":"A collection of availability zones denoting where the resource needs to come from","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"firewall_policy_id","type":"text","description":"The firewallPolicy associated with this azure firewall","operators":[]},{"name":"hub_private_ip_address","type":"inet","description":"Private IP Address associated with azure firewall","operators":[]},{"name":"hub_public_ip_address_count","type":"bigint","description":"The number of Public IP addresses associated with azure firewall","operators":[]},{"name":"hub_public_ip_addresses","type":"jsonb","description":"A collection of Public IP addresses associated with azure firewall or IP addresses to be retained","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a firewall uniquely","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"A collection of IP configuration of the Azure Firewall resource","operators":[]},{"name":"ip_groups","type":"jsonb","description":"A collection of IpGroups associated with AzureFirewall","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the firewall","operators":["="]},{"name":"nat_rule_collections","type":"jsonb","description":"A collection of NAT rule collections used by Azure Firewall","operators":[]},{"name":"network_rule_collections","type":"jsonb","description":"A collection of network rule collections used by Azure Firewall","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the firewall resource","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"Name of an Azure Firewall SKU","operators":[]},{"name":"sku_tier","type":"text","description":"Tier of an Azure Firewall","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"threat_intel_mode","type":"text","description":"The operation mode for Threat Intelligence","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the firewall","operators":[]},{"name":"virtual_hub_id","type":"text","description":"The virtualHub to which the firewall belongs","operators":[]}],"description":"Azure Firewall","queriesCount":0,"examplesCount":4,"readme":"$59"},{"name":"azure_firewall_policy","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"base_policy","type":"jsonb","description":"The parent firewall policy from which rules are inherited.","operators":[]},{"name":"child_policies","type":"jsonb","description":"List of references to Child Firewall Policies.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"dns_settings","type":"jsonb","description":"DNS Proxy Settings definition.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"firewalls","type":"jsonb","description":"List of references to Azure Firewalls that this Firewall Policy is associated with.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a firewall policy uniquely.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the firewall policy.","operators":[]},{"name":"intrusion_detection_configuration","type":"jsonb","description":"Intrusion detection configuration properties.","operators":[]},{"name":"intrusion_detection_mode","type":"text","description":"Intrusion detection general state. Possible values include: 'FirewallPolicyIntrusionDetectionStateTypeOff', 'FirewallPolicyIntrusionDetectionStateTypeAlert', 'FirewallPolicyIntrusionDetectionStateTypeDeny'.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the firewall policy.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the firewall policy resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"rule_collection_groups","type":"jsonb","description":"List of references to FirewallPolicyRuleCollectionGroups.","operators":[]},{"name":"sku_tier","type":"text","description":"Tier of Firewall Policy. Possible values include: 'FirewallPolicySkuTierStandard', 'FirewallPolicySkuTierPremium'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"threat_intel_mode","type":"text","description":"The operation mode for Threat Intelligence. Possible values include: 'AzureFirewallThreatIntelModeAlert', 'AzureFirewallThreatIntelModeDeny', 'AzureFirewallThreatIntelModeOff'.","operators":[]},{"name":"threat_intel_whitelist_fqdns","type":"jsonb","description":"List of FQDNs for the ThreatIntel Whitelist.","operators":[]},{"name":"threat_intel_whitelist_ip_addresses","type":"jsonb","description":"List of IP addresses for the ThreatIntel Whitelist.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"transport_security_certificate_authority","type":"jsonb","description":"The CA used for intermediate CA generation.","operators":[]},{"name":"type","type":"text","description":"The resource type of the firewall policy.","operators":[]}],"description":"Azure Firewall Policy","queriesCount":0,"examplesCount":5,"readme":"$5a"},{"name":"azure_frontdoor","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_pools","type":"jsonb","description":"Backend pools available to routing rules.","operators":[]},{"name":"backend_pools_settings","type":"jsonb","description":"Settings for all backend pools","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cname","type":"text","description":"The host that each frontendEndpoint must CNAME to.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the resource.","operators":[]},{"name":"enabled_state","type":"text","description":"Operational status of the front door load balancer. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"friendly_name","type":"text","description":"A friendly name for the front door.","operators":[]},{"name":"front_door_id","type":"text","description":"The ID of the front door.","operators":[]},{"name":"frontend_endpoints","type":"jsonb","description":"Frontend endpoints available to routing rules.","operators":[]},{"name":"health_probe_settings","type":"jsonb","description":"Health probe settings associated with this Front Door instance.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"load_balancing_settings","type":"jsonb","description":"Load balancing settings associated with this front door instance.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the front door.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_state","type":"text","description":"Resource status of the front door. Possible values include: 'Creating', 'Enabling', 'Enabled', 'Disabling', 'Disabled', 'Deleting'.","operators":[]},{"name":"routing_rules","type":"jsonb","description":"Routing rules associated with this front door.","operators":[]},{"name":"rules_engines","type":"jsonb","description":"Rules engine configurations available to routing rules.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Front Door","queriesCount":1,"examplesCount":5,"readme":"$5b"},{"name":"azure_hdinsight_cluster","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cluster_definition","type":"jsonb","description":"The cluster definition.","operators":[]},{"name":"cluster_hdp_version","type":"text","description":"The hdp version of the cluster.","operators":[]},{"name":"cluster_id","type":"text","description":"The cluster id.","operators":[]},{"name":"cluster_state","type":"text","description":"The state of the cluster.","operators":[]},{"name":"cluster_version","type":"text","description":"The version of the cluster.","operators":[]},{"name":"compute_isolation_properties","type":"jsonb","description":"The compute isolation properties of the cluster.","operators":[]},{"name":"compute_profile","type":"jsonb","description":"The complete profile of the cluster.","operators":[]},{"name":"connectivity_endpoints","type":"jsonb","description":"The list of connectivity endpoints.","operators":[]},{"name":"created_date","type":"text","description":"The date on which the cluster was created.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the cluster.","operators":[]},{"name":"disk_encryption_properties","type":"jsonb","description":"The disk encryption properties of the cluster.","operators":[]},{"name":"encryption_in_transit_properties","type":"jsonb","description":"The encryption-in-transit properties of the cluster.","operators":[]},{"name":"errors","type":"jsonb","description":"The list of errors.","operators":[]},{"name":"etag","type":"text","description":"The ETag for the resource.","operators":[]},{"name":"excluded_services_config","type":"jsonb","description":"The excluded services config of the cluster.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource Id for the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the cluster, if configured.","operators":[]},{"name":"kafka_rest_properties","type":"jsonb","description":"The cluster kafka rest proxy configuration.","operators":[]},{"name":"min_supported_tls_version","type":"text","description":"The minimal supported tls version of the cluster.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_properties","type":"jsonb","description":"The network properties of the cluster.","operators":[]},{"name":"os_type","type":"text","description":"The type of operating system. Possible values include: 'Windows', 'Linux'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state, which only appears in the response. Possible values include: 'InProgress', 'Failed', 'Succeeded', 'Canceled', 'Deleting'.","operators":[]},{"name":"quota_info","type":"jsonb","description":"The quota information of the cluster.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"security_profile","type":"jsonb","description":"The security profile of the cluster.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_profile","type":"jsonb","description":"The storage profile of the cluster.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tier","type":"text","description":"The cluster tier. Possible values include: 'Standard', 'Premium'.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure HDInsight Cluster","queriesCount":3,"examplesCount":3,"readme":"$5c"},{"name":"azure_healthcare_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_policies","type":"jsonb","description":"The access policies of the healthcare service.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allow_credentials","type":"boolean","description":"If credentials are allowed via CORS.","operators":[]},{"name":"audience","type":"text","description":"The audience url for the service.","operators":[]},{"name":"authority","type":"text","description":"The authority url for the service.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cosmos_db_configuration","type":"jsonb","description":"The settings for the Cosmos DB database backing the service.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the healthcare serive.","operators":[]},{"name":"etag","type":"text","description":"An etag associated with the resource, used for optimistic concurrency when editing it.","operators":[]},{"name":"headers","type":"jsonb","description":"The headers to be allowed via CORS.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"kind","type":"text","description":"The kind of the service. Possible values include: 'Fhir', 'FhirStu3', 'FhirR4'.","operators":[]},{"name":"location","type":"text","description":"The resource location.","operators":[]},{"name":"max_age","type":"bigint","description":"The max age to be allowed via CORS.","operators":[]},{"name":"methods","type":"jsonb","description":"The methods to be allowed via CORS.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"origins","type":"jsonb","description":"The origins to be allowed via CORS.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections for healthcare service.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the healthcare service resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"smart_proxy_enabled","type":"boolean","description":"If the SMART on FHIR proxy is enabled.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Healthcare Service","queriesCount":2,"examplesCount":4,"readme":"$5d"},{"name":"azure_hpc_cache","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cache_size_gb","type":"bigint","description":"The size of the cache, in GB.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"directory_services_settings","type":"jsonb","description":"Specifies directory services settings of the cache.","operators":[]},{"name":"encryption_settings","type":"jsonb","description":"Specifies encryption settings of the cache.","operators":[]},{"name":"health","type":"jsonb","description":"The health of the cache.","operators":[]},{"name":"id","type":"text","description":"The resource ID of the cache.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the cache, if configured.","operators":[]},{"name":"mount_addresses","type":"jsonb","description":"Array of IP addresses that can be used by clients mounting the cache.","operators":[]},{"name":"name","type":"text","description":"The name of the cache.","operators":["="]},{"name":"network_settings","type":"jsonb","description":"Specifies network settings of the cache.","operators":[]},{"name":"provisioning_state","type":"text","description":"ARM provisioning state. Possible values include: 'Succeeded', 'Failed', 'Cancelled', 'Creating', 'Deleting', 'Updating'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"security_settings","type":"jsonb","description":"Specifies security settings of the cache.","operators":[]},{"name":"sku_name","type":"text","description":"The SKU for the cache.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnet","type":"text","description":"Subnet used for the cache.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"The system meta data relating to the resource.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the cache.","operators":[]},{"name":"upgrade_status","type":"jsonb","description":"Upgrade status of the cache.","operators":[]}],"description":"Azure HPC Cache","queriesCount":1,"examplesCount":2,"readme":"$5e"},{"name":"azure_hybrid_compute_machine","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ad_fqdn","type":"text","description":"Specifies the AD fully qualified display name.","operators":[]},{"name":"agent_version","type":"text","description":"The hybrid machine agent full version.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"client_public_key","type":"text","description":"Public Key that the client provides to be used during initial resource onboarding.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"display_name","type":"text","description":"Specifies the hybrid machine display name.","operators":[]},{"name":"dns_fqdn","type":"text","description":"Specifies the DNS fully qualified display name.","operators":[]},{"name":"domain_name","type":"text","description":"Specifies the Windows domain name.","operators":[]},{"name":"error_details","type":"jsonb","description":"Details about the error state.","operators":[]},{"name":"extensions","type":"jsonb","description":"The extensions of the compute machine.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the compute machine.","operators":[]},{"name":"last_status_change","type":"timestamp with time zone","description":"The time of the last status change.","operators":[]},{"name":"location_data","type":"jsonb","description":"The metadata pertaining to the geographic location of the resource.","operators":[]},{"name":"machine_fqdn","type":"text","description":"Specifies the hybrid machine FQDN.","operators":[]},{"name":"machine_properties_extensions","type":"jsonb","description":"The machine properties extensions of the compute machine.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"os_name","type":"text","description":"The Operating System running on the hybrid machine.","operators":[]},{"name":"os_profile","type":"jsonb","description":"Specifies the operating system settings for the hybrid machine.","operators":[]},{"name":"os_sku","type":"text","description":"Specifies the Operating System product SKU.","operators":[]},{"name":"os_version","type":"text","description":"The version of Operating System running on the hybrid machine.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the hybrid machine.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"The status of the hybrid machine agent.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"vm_id","type":"text","description":"Specifies the hybrid machine unique ID.","operators":[]},{"name":"vm_uuid","type":"text","description":"Specifies the Arc Machine's unique SMBIOS ID.","operators":[]}],"description":"Azure Hybrid Compute Machine","queriesCount":2,"examplesCount":1,"readme":"$5f"},{"name":"azure_hybrid_kubernetes_connected_cluster","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"agent_public_key_certificate","type":"text","description":"Base64 encoded public certificate used by the agent to do the initial handshake to the backend services in Azure.","operators":[]},{"name":"agent_version","type":"text","description":"Version of the agent running on the connected cluster resource.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"connectivity_status","type":"text","description":"Represents the connectivity status of the connected cluster.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The timestamp of resource creation (UTC).","operators":[]},{"name":"created_by","type":"text","description":"The identity that created the resource.","operators":[]},{"name":"created_by_type","type":"text","description":"The type of identity that created the resource.","operators":[]},{"name":"distribution","type":"text","description":"The Kubernetes distribution running on this connected cluster.","operators":[]},{"name":"extensions","type":"jsonb","description":"The extensions of the connected cluster.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the connected cluster.","operators":[]},{"name":"infrastructure","type":"text","description":"The infrastructure on which the Kubernetes cluster represented by this connected cluster is running on.","operators":[]},{"name":"kubernetes_version","type":"text","description":"The Kubernetes version of the connected cluster resource.","operators":[]},{"name":"last_connectivity_time","type":"timestamp with time zone","description":"Time representing the last instance when heart beat was received from the cluster.","operators":[]},{"name":"last_modified_at","type":"timestamp with time zone","description":"The timestamp of resource last modification (UTC).","operators":[]},{"name":"last_modified_by","type":"text","description":"The identity that last modified the resource.","operators":[]},{"name":"last_modified_by_type","type":"text","description":"The type of identity that last modified the resource.","operators":[]},{"name":"location","type":"text","description":"Location of the resource.","operators":[]},{"name":"managed_identity_certificate_expiration_time","type":"timestamp with time zone","description":"Expiration time of the managed identity certificate.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"offering","type":"text","description":"Connected cluster offering.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the connected cluster resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"total_core_count","type":"bigint","description":"Number of CPU cores present in the connected cluster resource.","operators":[]},{"name":"total_node_count","type":"bigint","description":"Number of nodes present in the connected cluster resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Hybrid Kubernetes Connected Cluster","queriesCount":0,"examplesCount":1,"readme":"$60"},{"name":"azure_iothub","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authorization_policies","type":"jsonb","description":"The shared access policies you can use to secure a connection to the iot hub.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cloud_to_device","type":"jsonb","description":"CloudToDevice properties of the iot hub.","operators":[]},{"name":"comments","type":"text","description":"Iot hub comments.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the iot hub.","operators":[]},{"name":"enable_file_upload_notifications","type":"boolean","description":"Indicates if file upload notifications are enabled for the iot hub.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"event_hub_endpoints","type":"jsonb","description":"The event hub-compatible endpoint properties.","operators":[]},{"name":"features","type":"text","description":"The capabilities and features enabled for the iot hub. Possible values include: 'None', 'DeviceManagement'.","operators":[]},{"name":"host_name","type":"text","description":"The name of the host.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"ip_filter_rules","type":"jsonb","description":"The IP filter rules of the iot hub.","operators":[]},{"name":"locations","type":"jsonb","description":"Primary and secondary location for iot hub.","operators":[]},{"name":"messaging_endpoints","type":"jsonb","description":"The messaging endpoint properties for the file upload notification queue.","operators":[]},{"name":"min_tls_version","type":"text","description":"Specifies the minimum TLS version to support for this iot hub.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"Private endpoint connections created on this iot hub.","operators":[]},{"name":"provisioning_state","type":"text","description":"The iot hub provisioning state.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether requests from public network are allowed.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"routing","type":"jsonb","description":"Routing properties of the iot hub.","operators":[]},{"name":"sku_capacity","type":"text","description":"Iot hub SKU capacity.","operators":[]},{"name":"sku_name","type":"text","description":"Iot hub SKU name.","operators":[]},{"name":"sku_tier","type":"text","description":"Iot hub SKU tier.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The iot hub state.","operators":[]},{"name":"storage_endpoints","type":"jsonb","description":"The list of azure storage endpoints where you can upload files.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Iot Hub","queriesCount":2,"examplesCount":1,"readme":"$61"},{"name":"azure_iothub_dps","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allocation_policy","type":"text","description":"Allocation policy to be used by this provisioning service.","operators":[]},{"name":"authorization_policies","type":"jsonb","description":"List of authorization keys for a provisioning service.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"device_provisioning_host_name","type":"text","description":"Device endpoint for this provisioning service.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the iot dps.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"id_scope","type":"text","description":"Unique identifier of this provisioning service..","operators":[]},{"name":"iot_hubs","type":"jsonb","description":"List of IoT hubs associated with this provisioning service.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The ARM provisioning state of the provisioning service.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_operations_host_name","type":"text","description":"Service endpoint for provisioning service.","operators":[]},{"name":"sku_capacity","type":"text","description":"Iot dps SKU capacity.","operators":[]},{"name":"sku_name","type":"text","description":"Iot dps SKU name.","operators":[]},{"name":"sku_tier","type":"text","description":"Iot dps SKU tier.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"Current state of the provisioning service.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Iot Hub Dps","queriesCount":0,"examplesCount":1,"readme":"$62"},{"name":"azure_key_vault","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_policies","type":"jsonb","description":"A list of 0 to 1024 identities that have access to the key vault.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_mode","type":"text","description":"The vault's create mode to indicate whether the vault need to be recovered or not. Possible values include: 'default', 'recover'.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the vault.","operators":[]},{"name":"enable_rbac_authorization","type":"boolean","description":"Property that controls how data actions are authorized.","operators":[]},{"name":"enabled_for_deployment","type":"boolean","description":"Indicates whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.","operators":[]},{"name":"enabled_for_disk_encryption","type":"boolean","description":"Indicates whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.","operators":[]},{"name":"enabled_for_template_deployment","type":"boolean","description":"Indicates whether Azure Resource Manager is permitted to retrieve secrets from the key vault.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a vault uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the vault.","operators":["="]},{"name":"network_acls","type":"jsonb","description":"Rules governing the accessibility of the key vault from specific network locations.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections associated with the key vault.","operators":[]},{"name":"purge_protection_enabled","type":"boolean","description":"Indicates whether protection against purge is enabled for this vault.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_family","type":"text","description":"Contains SKU family name.","operators":[]},{"name":"sku_name","type":"text","description":"SKU name to specify whether the key vault is a standard vault or a premium vault.","operators":[]},{"name":"soft_delete_enabled","type":"boolean","description":"Indicates whether the 'soft delete' functionality is enabled for this key vault.","operators":[]},{"name":"soft_delete_retention_in_days","type":"bigint","description":"Contains softDelete data retention days.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tenant_id","type":"text","description":"The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"vault_uri","type":"text","description":"Contains URI of the vault for performing operations on keys and secrets.","operators":[]}],"description":"Azure Key Vault","queriesCount":13,"examplesCount":6,"readme":"$63"},{"name":"azure_key_vault_certificate","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cer","type":"jsonb","description":"CER contents of x509 certificate.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"content_type","type":"text","description":"The content type of the secret.","operators":[]},{"name":"created","type":"timestamp with time zone","description":"Creation time in UTC.","operators":[]},{"name":"enabled","type":"boolean","description":"Determines whether the object is enabled.","operators":[]},{"name":"expires","type":"timestamp with time zone","description":"Expiry date in UTC.","operators":[]},{"name":"id","type":"text","description":"Certificate identifier.","operators":[]},{"name":"issuer_parameters","type":"jsonb","description":"Parameters for the issuer of the X509 component of a certificate.","operators":[]},{"name":"key_id","type":"text","description":"The key id.","operators":[]},{"name":"key_properties","type":"jsonb","description":"Properties of the key backing a certificate.","operators":[]},{"name":"lifetime_actions","type":"jsonb","description":"Actions that will be performed by Key Vault over the lifetime of a certificate.","operators":[]},{"name":"name","type":"text","description":"Name of the certificate.","operators":["="]},{"name":"not_before","type":"timestamp with time zone","description":"Not before date in UTC.","operators":[]},{"name":"recovery_level","type":"text","description":"Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. Possible values include: 'Purgeable', 'RecoverablePurgeable', 'Recoverable', 'RecoverableProtectedSubscription'.","operators":[]},{"name":"secret_id","type":"text","description":"The secret id.","operators":[]},{"name":"secret_properties","type":"jsonb","description":"Properties of the secret backing a certificate.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"updated","type":"timestamp with time zone","description":"Last updated time in UTC.","operators":[]},{"name":"vault_name","type":"text","description":"The name of the vault.","operators":["="]},{"name":"x509_certificate_properties","type":"jsonb","description":"Properties of the X509 component of a certificate.","operators":[]},{"name":"x509_thumbprint","type":"text","description":"Thumbprint of the certificate. A URL-encoded base64 string.","operators":[]}],"description":"Azure Key Vault Certificate","queriesCount":0,"examplesCount":4,"readme":"$64"},{"name":"azure_key_vault_deleted_vault","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"deletion_date","type":"timestamp with time zone","description":"The deleted date of the vault.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a deleted vault uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the deleted vault.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":["="]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"scheduled_purge_date","type":"timestamp with time zone","description":"The scheduled purged date of the vault.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"vault_id","type":"text","description":"The resource id of the original vault.","operators":[]}],"description":"Azure Key Vault Deleted Vault","queriesCount":0,"examplesCount":1,"readme":"$65"},{"name":"azure_key_vault_key","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"Specifies the time when the key is created.","operators":[]},{"name":"curve_name","type":"text","description":"The elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates whether the key is enabled, or not.","operators":[]},{"name":"expires_at","type":"timestamp with time zone","description":"Specifies the time when the key wil expire.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a key uniquely.","operators":[]},{"name":"key_ops","type":"jsonb","description":"A list of key operations.","operators":[]},{"name":"key_size","type":"bigint","description":"The key size in bits.","operators":[]},{"name":"key_type","type":"text","description":"The type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'.","operators":[]},{"name":"key_uri","type":"text","description":"The URI to retrieve the current version of the key.","operators":[]},{"name":"key_uri_with_version","type":"text","description":"The URI to retrieve the specific version of the key.","operators":[]},{"name":"location","type":"text","description":"Azure location of the key vault resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the key.","operators":["="]},{"name":"not_before","type":"timestamp with time zone","description":"Specifies the time before which the key is not usable.","operators":[]},{"name":"recovery_level","type":"text","description":"The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]},{"name":"updated_at","type":"timestamp with time zone","description":"Specifies the time when the key was last updated.","operators":[]},{"name":"vault_name","type":"text","description":"The friendly name that identifies the vault.","operators":["="]}],"description":"Azure Key Vault Key","queriesCount":3,"examplesCount":4,"readme":"$66"},{"name":"azure_key_vault_key_version","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"Specifies the time when the key version is created.","operators":[]},{"name":"curve_name","type":"text","description":"The elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates whether the key version is enabled, or not.","operators":[]},{"name":"expires_at","type":"timestamp with time zone","description":"Specifies the time when the key version wil expire.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a key version uniquely.","operators":[]},{"name":"key_id","type":"text","description":"Contains ID to identify a key uniquely.","operators":[]},{"name":"key_name","type":"text","description":"The friendly name that identifies the key.","operators":["="]},{"name":"key_ops","type":"jsonb","description":"A list of key operations.","operators":[]},{"name":"key_size","type":"bigint","description":"The key size in bits.","operators":[]},{"name":"key_type","type":"text","description":"The type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'.","operators":[]},{"name":"key_uri","type":"text","description":"The URI to retrieve the current version of the key.","operators":[]},{"name":"key_uri_with_version","type":"text","description":"The URI to retrieve the specific version of the key.","operators":[]},{"name":"location","type":"text","description":"Azure location of the key vault resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the key version.","operators":[]},{"name":"not_before","type":"timestamp with time zone","description":"Specifies the time before which the key version is not usable.","operators":[]},{"name":"recovery_level","type":"text","description":"The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]},{"name":"updated_at","type":"timestamp with time zone","description":"Specifies the time when the key was last updated.","operators":[]},{"name":"vault_name","type":"text","description":"The friendly name that identifies the vault.","operators":[]}],"description":"Azure Key Vault Key Version","queriesCount":0,"examplesCount":3,"readme":"$67"},{"name":"azure_key_vault_managed_hardware_security_module","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_mode","type":"text","description":"The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. Possible values include: 'CreateModeRecover', 'CreateModeDefault'.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the managed HSM.","operators":[]},{"name":"enable_purge_protection","type":"boolean","description":"Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible.","operators":[]},{"name":"enable_soft_delete","type":"boolean","description":"Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. If it's not set to any value(true or false) when creating new managed HSM pool, it will be set to true by default. Once set to true, it cannot be reverted to false.","operators":[]},{"name":"hsm_uri","type":"text","description":"The URI of the managed hsm pool for performing operations on keys.","operators":[]},{"name":"id","type":"text","description":"The Azure Resource Manager resource ID for the managed HSM Pool.","operators":[]},{"name":"name","type":"text","description":"The name of the managed HSM Pool.","operators":["="]},{"name":"provisioning_state","type":"text","description":"Provisioning state. Possible values include: 'ProvisioningStateSucceeded', 'ProvisioningStateProvisioning', 'ProvisioningStateFailed', 'ProvisioningStateUpdating', 'ProvisioningStateDeleting', 'ProvisioningStateActivated', 'ProvisioningStateSecurityDomainRestore', 'ProvisioningStateRestoring'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_family","type":"text","description":"Contains SKU family name.","operators":[]},{"name":"sku_name","type":"text","description":"SKU name to specify whether the key vault is a standard vault or a premium vault.","operators":[]},{"name":"soft_delete_retention_in_days","type":"bigint","description":"Indicates softDelete data retention days. It accepts >=7 and <=90.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status_message","type":"text","description":"Resource Status Message.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tenant_id","type":"text","description":"The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the managed HSM Pool.","operators":[]}],"description":"Azure Key Vault Managed Hardware Security Module","queriesCount":2,"examplesCount":1,"readme":"$68"},{"name":"azure_key_vault_secret","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"content_type","type":"text","description":"Specifies the type of the secret value such as a password.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"Specifies the time when the secret is created.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates whether the secret is enabled, or not.","operators":[]},{"name":"expires_at","type":"timestamp with time zone","description":"Specifies the time when the secret will expire.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a secret uniquely.","operators":[]},{"name":"kid","type":"text","description":"If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate.","operators":[]},{"name":"managed","type":"boolean","description":"Indicates whether the secret's lifetime is managed by key vault, or not.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the secret.","operators":["="]},{"name":"not_before","type":"timestamp with time zone","description":"Specifies the time before which the secret is not usable.","operators":[]},{"name":"recoverable_days","type":"bigint","description":"Specifies the soft delete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0.","operators":[]},{"name":"recovery_level","type":"text","description":"The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"updated_at","type":"timestamp with time zone","description":"Specifies the time when the secret was last updated.","operators":[]},{"name":"value","type":"text","description":"Specifies the secret value.","operators":[]},{"name":"vault_name","type":"text","description":"The friendly name that identifies the vault.","operators":["="]}],"description":"Azure Key Vault Secret","queriesCount":3,"examplesCount":4,"readme":"$69"},{"name":"azure_kubernetes_cluster","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"aad_profile","type":"jsonb","description":"Profile of Azure Active Directory configuration.","operators":[]},{"name":"addon_profiles","type":"jsonb","description":"Profile of managed cluster add-on.","operators":[]},{"name":"agent_pool_profiles","type":"jsonb","description":"Properties of the agent pool.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"api_server_access_profile","type":"jsonb","description":"Access profile for managed cluster API server.","operators":[]},{"name":"auto_scaler_profile","type":"jsonb","description":"Parameters to be applied to the cluster-autoscaler when enabled.","operators":[]},{"name":"auto_upgrade_profile","type":"jsonb","description":"Profile of auto upgrade configuration.","operators":[]},{"name":"azure_portal_fqdn","type":"text","description":"FQDN for the master pool which used by proxy config.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"disk_encryption_set_id","type":"text","description":"ResourceId of the disk encryption set to use for enabling encryption at rest.","operators":[]},{"name":"dns_prefix","type":"text","description":"DNS prefix specified when creating the managed cluster.","operators":[]},{"name":"enable_pod_security_policy","type":"boolean","description":"Whether to enable Kubernetes pod security policy (preview).","operators":[]},{"name":"enable_rbac","type":"boolean","description":"Whether to enable Kubernetes Role-Based Access Control.","operators":[]},{"name":"fqdn","type":"text","description":"FQDN for the master pool.","operators":[]},{"name":"fqdn_subdomain","type":"text","description":"FQDN subdomain specified when creating private cluster with custom private dns zone.","operators":[]},{"name":"id","type":"text","description":"The ID of the cluster.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the managed cluster, if configured.","operators":[]},{"name":"identity_profile","type":"jsonb","description":"Identities associated with the cluster.","operators":[]},{"name":"kubernetes_version","type":"text","description":"Version of Kubernetes specified when creating the managed cluster.","operators":[]},{"name":"linux_profile","type":"jsonb","description":"Profile for Linux VMs in the container service cluster.","operators":[]},{"name":"location","type":"text","description":"The location where the cluster is created.","operators":[]},{"name":"max_agent_pools","type":"bigint","description":"The max number of agent pools for the managed cluster.","operators":[]},{"name":"name","type":"text","description":"The name of the cluster.","operators":["="]},{"name":"network_profile","type":"jsonb","description":"Profile of network configuration.","operators":[]},{"name":"node_resource_group","type":"text","description":"Name of the resource group containing agent pool nodes.","operators":[]},{"name":"pod_identity_profile","type":"jsonb","description":"Profile of managed cluster pod identity.","operators":[]},{"name":"power_state","type":"jsonb","description":"Represents the Power State of the cluster.","operators":[]},{"name":"private_fqdn","type":"text","description":"FQDN of private cluster.","operators":[]},{"name":"provisioning_state","type":"text","description":"The current deployment or provisioning state.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_principal_profile","type":"jsonb","description":"Information about a service principal identity for the cluster to use for manipulating Azure APIs.","operators":[]},{"name":"sku","type":"jsonb","description":"The managed cluster SKU.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the cluster.","operators":[]},{"name":"windows_profile","type":"jsonb","description":"Profile for Windows VMs in the container service cluster.","operators":[]}],"description":"Azure Kubernetes Cluster","queriesCount":17,"examplesCount":3,"readme":"$6a"},{"name":"azure_kubernetes_service_version","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"capabilities","type":"jsonb","description":"Capabilities on this Kubernetes version.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"is_preview","type":"boolean","description":"Whether Kubernetes version is currently in preview.","operators":[]},{"name":"location","type":"text","description":"The Azure region/location in which the resource is located.","operators":["="]},{"name":"patch_versions","type":"jsonb","description":"Patch versions of Kubernetes release.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"version","type":"text","description":"The major.minor version of Kubernetes release.","operators":[]}],"description":"Azure Kubernetes Service Version","queriesCount":0,"examplesCount":3,"readme":"$6b"},{"name":"azure_kusto_cluster","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"data_ingestion_uri","type":"text","description":"The cluster data ingestion URI.","operators":[]},{"name":"enable_disk_encryption","type":"boolean","description":"A boolean value that indicates if the cluster's disks are encrypted.","operators":[]},{"name":"enable_double_encryption","type":"boolean","description":"A boolean value that indicates if double encryption is enabled.","operators":[]},{"name":"enable_purge","type":"boolean","description":"A boolean value that indicates if the purge operations are enabled.","operators":[]},{"name":"enable_streaming_ingest","type":"boolean","description":"A boolean value that indicates if the streaming ingest is enabled.","operators":[]},{"name":"engine_type","type":"text","description":"The engine type. Possible values include: 'EngineTypeV2', 'EngineTypeV3'.","operators":[]},{"name":"etag","type":"text","description":"An ETag of the resource created.","operators":[]},{"name":"id","type":"text","description":"The resource Id.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the cluster, if configured.","operators":[]},{"name":"key_vault_properties","type":"jsonb","description":"KeyVault properties for the cluster encryption.","operators":[]},{"name":"language_extensions","type":"jsonb","description":"List of the cluster's language extensions.","operators":[]},{"name":"location","type":"text","description":"Specifies the name of the region, the resource is created at.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"optimized_autoscale","type":"jsonb","description":"Optimized auto scale definition.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioned state of the resource. Possible values include: 'Running', 'Creating', 'Deleting', 'Succeeded', 'Failed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_capacity","type":"bigint","description":"SKU capacity of the resource.","operators":[]},{"name":"sku_name","type":"text","description":"SKU name of the resource. Possible values include: 'KC8', 'KC16', 'KS8', 'KS16', 'D13V2', 'D14V2', 'L8', 'L16'.","operators":[]},{"name":"sku_tier","type":"text","description":"SKU tier of the resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the resource. Possible values include: 'Creating', 'Deleted', 'Deleting', 'Running', 'Starting', 'Stopped', 'Stopping', 'Unavailable'.","operators":[]},{"name":"state_reason","type":"text","description":"SKU tier of the resource.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"trusted_external_tenants","type":"jsonb","description":"The cluster's external tenants.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"uri","type":"text","description":"The cluster URI.","operators":[]},{"name":"virtual_network_configuration","type":"jsonb","description":"Virtual network definition of the resource.","operators":[]}],"description":"Azure Kusto Cluster","queriesCount":4,"examplesCount":3,"readme":"$6c"},{"name":"azure_lb","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_address_pools","type":"jsonb","description":"Collection of backend address pools used by the load balancer.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the load balancer.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"extended_location_name","type":"text","description":"The name of the extended location.","operators":[]},{"name":"extended_location_type","type":"text","description":"The type of the extended location. Possible values include: 'ExtendedLocationTypesEdgeZone'.","operators":[]},{"name":"frontend_ip_configurations","type":"jsonb","description":"Object representing the frontend IPs to be used for the load balancer.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"inbound_nat_pools","type":"jsonb","description":"Defines an external port range for inbound NAT to a single backend port on NICs associated with the load balancer. Inbound NAT rules are created automatically for each NIC associated with the Load Balancer using an external port from this range. Defining an Inbound NAT pool on the Load Balancer is mutually exclusive with defining inbound Nat rules. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an inbound NAT pool. They have to reference individual inbound NAT rules.","operators":[]},{"name":"inbound_nat_rules","type":"jsonb","description":"Collection of inbound NAT Rules used by the load balancer. Defining inbound NAT rules on the load balancer is mutually exclusive with defining an inbound NAT pool. Inbound NAT pools are referenced from virtual machine scale sets. NICs that are associated with individual virtual machines cannot reference an Inbound NAT pool. They have to reference individual inbound NAT rules.","operators":[]},{"name":"load_balancing_rules","type":"jsonb","description":"Object collection representing the load balancing rules Gets the provisioning.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"outbound_rules","type":"jsonb","description":"The outbound rules.","operators":[]},{"name":"probes","type":"jsonb","description":"Collection of probe objects used in the load balancer.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the load balancer resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the load balancer resource.","operators":[]},{"name":"sku_name","type":"text","description":"Name of the load balancer SKU. Possible values include: 'Basic', 'Standard', 'Gateway'.","operators":[]},{"name":"sku_tier","type":"text","description":"Tier of the load balancer SKU. Possible values include: 'Regional', 'Global'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Load Balancer","queriesCount":1,"examplesCount":1,"readme":"$6d"},{"name":"azure_lb_backend_address_pool","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_ip_configurations","type":"jsonb","description":"An array of references to IP addresses defined in network interfaces.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"gateway_load_balancer_tunnel_interface","type":"jsonb","description":"An array of gateway load balancer tunnel interfaces.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"load_balancer_backend_addresses","type":"jsonb","description":"An array of backend addresses.","operators":[]},{"name":"load_balancer_name","type":"text","description":"The friendly name that identifies the load balancer.","operators":["="]},{"name":"load_balancing_rules","type":"jsonb","description":"An array of references to load balancing rules that use this backend address pool.","operators":[]},{"name":"name","type":"text","description":"The name of the resource that is unique within the set of backend address pools used by the load balancer. This name can be used to access the resource.","operators":["="]},{"name":"outbound_rule_id","type":"text","description":"A reference to an outbound rule that uses this backend address pool.","operators":[]},{"name":"outbound_rules","type":"jsonb","description":"An array of references to outbound rules that use this backend address pool.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the backend address pool resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Load Balancer Backend Address Pool","queriesCount":0,"examplesCount":1,"readme":"$6e"},{"name":"azure_lb_nat_rule","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_ip_configuration","type":"jsonb","description":"A reference to a private IP address defined on a network interface of a VM. Traffic sent to the frontend port of each of the frontend IP configurations is forwarded to the backend IP.","operators":[]},{"name":"backend_port","type":"bigint","description":"The port used for the internal endpoint. Acceptable values range from 1 to 65535.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enable_floating_ip","type":"boolean","description":"Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint.","operators":[]},{"name":"enable_tcp_reset","type":"boolean","description":"Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"frontend_ip_configuration","type":"jsonb","description":"A reference to frontend IP addresses.","operators":[]},{"name":"frontend_port","type":"bigint","description":"The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"idle_timeout_in_minutes","type":"bigint","description":"The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"load_balancer_name","type":"text","description":"The friendly name that identifies the load balancer.","operators":["="]},{"name":"name","type":"text","description":"The name of the resource that is unique within the set of inbound NAT rules used by the load balancer. This name can be used to access the resource.","operators":["="]},{"name":"protocol","type":"text","description":"The reference to the transport protocol used by the load balancing rule. Possible values include: 'TransportProtocolUDP', 'TransportProtocolTCP', 'TransportProtocolAll'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the inbound NAT rule resource.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Load Balancer Nat Rule","queriesCount":0,"examplesCount":2,"readme":"$6f"},{"name":"azure_lb_outbound_rule","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allocated_outbound_ports","type":"bigint","description":"The number of outbound ports to be used for NAT.","operators":[]},{"name":"backend_address_pools","type":"jsonb","description":"A reference to a pool of DIPs. Outbound traffic is randomly load balanced across IPs in the backend IPs.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enable_tcp_reset","type":"boolean","description":"Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"frontend_ip_configurations","type":"jsonb","description":"The Frontend IP addresses of the load balancer.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"idle_timeout_in_minutes","type":"bigint","description":"The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"load_balancer_name","type":"text","description":"The friendly name that identifies the load balancer.","operators":["="]},{"name":"name","type":"text","description":"The name of the resource that is unique within the set of outbound rules used by the load balancer. This name can be used to access the resource.","operators":["="]},{"name":"protocol","type":"text","description":"The protocol for the outbound rule in load balancer. Possible values include: 'LoadBalancerOutboundRuleProtocolTCP', 'LoadBalancerOutboundRuleProtocolUDP', 'LoadBalancerOutboundRuleProtocolAll'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the outbound rule resource. Possible values include: 'ProvisioningStateSucceeded', 'ProvisioningStateUpdating', 'ProvisioningStateDeleting', 'ProvisioningStateFailed'.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Load Balancer Outbound Rule","queriesCount":0,"examplesCount":2,"readme":"$70"},{"name":"azure_lb_probe","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"interval_in_seconds","type":"bigint","description":"The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5.","operators":[]},{"name":"load_balancer_name","type":"text","description":"The friendly name that identifies the load balancer.","operators":["="]},{"name":"load_balancing_rules","type":"jsonb","description":"The load balancer rules that use this probe.","operators":[]},{"name":"name","type":"text","description":"The name of the resource that is unique within the set of probes used by the load balancer. This name can be used to access the resource.","operators":["="]},{"name":"number_of_probes","type":"bigint","description":"The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure.","operators":[]},{"name":"port","type":"bigint","description":"The port for communicating the probe. Possible values range from 1 to 65535, inclusive.","operators":[]},{"name":"protocol","type":"text","description":"The protocol of the end point. If 'Tcp' is specified, a received ACK is required for the probe to be successful. If 'Http' or 'Https' is specified, a 200 OK response from the specifies URI is required for the probe to be successful. Possible values include: 'HTTP', 'TCP', 'HTTPS'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the probe resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"request_path","type":"text","description":"The URI used for requesting health status from the VM. Path is required if a protocol is set to http. Otherwise, it is not allowed. There is no default value.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Load Balancer Probe","queriesCount":0,"examplesCount":2,"readme":"$71"},{"name":"azure_lb_rule","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backend_address_pool_id","type":"text","description":"A reference to a pool of DIPs. Inbound traffic is randomly load balanced across IPs in the backend IPs.","operators":[]},{"name":"backend_address_pools","type":"jsonb","description":"An array of references to pool of DIPs.","operators":[]},{"name":"backend_port","type":"bigint","description":"The port used for internal connections on the endpoint. Acceptable values are between 0 and 65535. Note that value 0 enables 'Any Port'.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"disable_outbound_snat","type":"boolean","description":"Configures SNAT for the VMs in the backend pool to use the publicIP address specified in the frontend of the load balancing rule.","operators":[]},{"name":"enable_floating_ip","type":"boolean","description":"Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint.","operators":[]},{"name":"enable_tcp_reset","type":"boolean","description":"Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"frontend_ip_configuration_id","type":"text","description":"A reference to frontend IP addresses.","operators":[]},{"name":"frontend_port","type":"bigint","description":"The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values are between 0 and 65534. Note that value 0 enables 'Any Port'.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"idle_timeout_in_minutes","type":"bigint","description":"The timeout for the TCP idle connection. The value can be set between 4 and 30 minutes. The default value is 4 minutes. This element is only used when the protocol is set to TCP.","operators":[]},{"name":"load_balancer_name","type":"text","description":"The friendly name that identifies the load balancer.","operators":["="]},{"name":"load_distribution","type":"text","description":"The load distribution policy for this rule. Possible values include: 'Default', 'SourceIP', 'SourceIPProtocol'.","operators":[]},{"name":"name","type":"text","description":"The name of the resource that is unique within the set of load balancing rules used by the load balancer. This name can be used to access the resource.","operators":["="]},{"name":"probe_id","type":"text","description":"The reference to the load balancer probe used by the load balancing rule.","operators":[]},{"name":"protocol","type":"text","description":"The reference to the transport protocol used by the load balancing rule. Possible values include: 'UDP', 'TCP', 'All'.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the load balancing rule resource. Possible values include: 'Succeeded', 'Updating', 'Deleting', 'Failed'.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Load Balancer Rule","queriesCount":0,"examplesCount":2,"readme":"$72"},{"name":"azure_lighthouse_assignment","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"id","type":"text","description":"Fully qualified path of the registration assignment.","operators":[]},{"name":"name","type":"text","description":"Name of the registration assignment.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the registration assignment.","operators":[]},{"name":"registration_assignment_id","type":"text","description":"The ID of the registration assignment.","operators":["="]},{"name":"registration_definition_id","type":"text","description":"ID of the associated registration definition.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"scope","type":"text","description":"The scope of the resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Lighthouse Assignment","queriesCount":0,"examplesCount":4,"readme":"$73"},{"name":"azure_lighthouse_definition","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authorizations","type":"jsonb","description":"Authorization details containing principal ID and role ID.","operators":[]},{"name":"description","type":"text","description":"Description of the registration definition.","operators":[]},{"name":"eligible_authorizations","type":"jsonb","description":"The collection of eligible authorization objects describing the just-in-time access Azure Active Directory principals in the managedBy tenant will receive on the delegated resource in the managed tenant.","operators":[]},{"name":"id","type":"text","description":"Fully qualified path of the registration definition.","operators":[]},{"name":"managed_by_tenant_id","type":"text","description":"ID of the managedBy tenant.","operators":[]},{"name":"managed_by_tenant_name","type":"text","description":"The name of the managedBy tenant.","operators":[]},{"name":"managed_tenant_name","type":"text","description":"The name of the managed tenant.","operators":[]},{"name":"name","type":"text","description":"Name of the registration definition.","operators":[]},{"name":"plan","type":"jsonb","description":"Plan details for the managed services.","operators":[]},{"name":"registration_definition_id","type":"text","description":"The ID of the registration definition.","operators":["="]},{"name":"registration_definition_name","type":"text","description":"Name of the registration definition.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"scope","type":"text","description":"The scope of the resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Lighthouse Definition","queriesCount":0,"examplesCount":3,"readme":"$74"},{"name":"azure_location","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"display_name","type":"text","description":"The display name of the location.","operators":[]},{"name":"id","type":"text","description":"The fully qualified ID of the location.","operators":[]},{"name":"latitude","type":"text","description":"The latitude of the location.","operators":[]},{"name":"longitude","type":"jsonb","description":"The longitude of the location","operators":[]},{"name":"name","type":"text","description":"The location name","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Location","queriesCount":1,"examplesCount":2,"readme":"$75"},{"name":"azure_log_alert","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"actions","type":"text","description":"The actions that will activate when the condition is met.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"condition","type":"jsonb","description":"The condition that will cause this alert to activate.","operators":[]},{"name":"description","type":"text","description":"A description of this activity log alert.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates whether this activity log alert is enabled.","operators":[]},{"name":"id","type":"text","description":"The resource Id.","operators":[]},{"name":"location","type":"text","description":"The location of the resource. Since Azure Activity Log Alerts is a global service, the location of the rules should always be 'global'.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"scopes","type":"jsonb","description":"A list of resourceIds that will be used as prefixes.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Log Alert","queriesCount":14,"examplesCount":1,"readme":"$76"},{"name":"azure_log_analytics_workspace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"The list of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cluster_resource_id","type":"text","description":"Dedicated LA cluster resourceId that is linked to the workspaces.","operators":[]},{"name":"created_date","type":"timestamp with time zone","description":"Workspace creation date.","operators":[]},{"name":"customer_id","type":"text","description":"Represents the ID associated with the workspace.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"Disable Non-AAD based Auth.","operators":[]},{"name":"enable_data_export","type":"boolean","description":"Flag that indicates if data should be exported.","operators":[]},{"name":"enable_log_access_using_only_resource_permissions","type":"boolean","description":"Flag that indicates which permission to use - resource or workspace or both.","operators":[]},{"name":"force_cmk_for_query","type":"boolean","description":"Indicates whether customer managed storage is mandatory for query management.","operators":[]},{"name":"id","type":"text","description":"Contains the unique ID to identify the Log Analytics workspace.","operators":[]},{"name":"immediate_purge_data_on_30_days","type":"boolean","description":"Flag that describes if we want to remove the data after 30 days.","operators":[]},{"name":"location","type":"text","description":"The location of the Log Analytics workspace.","operators":[]},{"name":"modified_date","type":"timestamp with time zone","description":"Workspace modification date.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the Log Analytics workspace.","operators":["="]},{"name":"private_link_scoped_resources","type":"jsonb","description":"List of linked private link scope resources.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the Log Analytics workspace.","operators":[]},{"name":"public_network_access_for_ingestion","type":"text","description":"The network access type for accessing Log Analytics ingestion.","operators":[]},{"name":"public_network_access_for_query","type":"text","description":"The network access type for accessing Log Analytics query.","operators":[]},{"name":"region","type":"text","description":"The region of the Log Analytics workspace.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group of the Log Analytics workspace.","operators":["="]},{"name":"retention_in_days","type":"bigint","description":"The retention period for the Log Analytics workspace data in days.","operators":[]},{"name":"sku","type":"jsonb","description":"The SKU (pricing level) of the Log Analytics workspace.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"The tags assigned to the Log Analytics workspace.","operators":[]},{"name":"title","type":"text","description":"The title of the Log Analytics workspace.","operators":[]},{"name":"type","type":"text","description":"The type of the Log Analytics workspace.","operators":[]},{"name":"workspace_capping","type":"jsonb","description":"The workspace capping properties.","operators":[]}],"description":"Azure Log Analytics Workspace","queriesCount":2,"examplesCount":5,"readme":"$77"},{"name":"azure_log_profile","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"categories","type":"jsonb","description":"The categories of the logs.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource Id.","operators":[]},{"name":"location","type":"text","description":"Specifies the name of the region, the resource is created at.","operators":[]},{"name":"log_event_location","type":"jsonb","description":"List of regions for which Activity Log events should be stored or streamed.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"retention_policy","type":"jsonb","description":"The retention policy for the events in the log.","operators":[]},{"name":"service_bus_rule_id","type":"text","description":"The service bus rule ID of the service bus namespace in which you would like to have Event Hubs created for streaming the Activity Log.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_id","type":"text","description":"The resource id of the storage account to which you would like to send the Activity Log.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Log Profile","queriesCount":4,"examplesCount":0,"readme":"$78"},{"name":"azure_logic_app_workflow","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_control","type":"jsonb","description":"The access control configuration.","operators":[]},{"name":"access_endpoint","type":"text","description":"The access endpoint of the workflow.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"changed_time","type":"timestamp with time zone","description":"Specifies the time, the workflow was updated.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_time","type":"timestamp with time zone","description":"The time when workflow was created.","operators":[]},{"name":"definition","type":"jsonb","description":"The workflow defination.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the workflow.","operators":[]},{"name":"endpoints_configuration","type":"jsonb","description":"The endpoints configuration.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"integration_account","type":"jsonb","description":"The integration account of the workflow.","operators":[]},{"name":"integration_service_environment","type":"jsonb","description":"The integration service environment of the workflow.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"parameters","type":"jsonb","description":"The workflow parameters.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the workflow.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"The sku name.","operators":[]},{"name":"sku_plan","type":"jsonb","description":"The sku Plan.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the workflow.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"version","type":"text","description":"Version of the workflow.","operators":[]}],"description":"Azure Logic App Workflow","queriesCount":1,"examplesCount":2,"readme":"$79"},{"name":"azure_machine_learning_workspace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"application_insights","type":"text","description":"ARM id of the application insights associated with this workspace. This cannot be changed once the workspace has been created.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"container_registry","type":"text","description":"ARM id of the container registry associated with this workspace. This cannot be changed once the workspace has been created.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"The creation time for this workspace resource.","operators":[]},{"name":"description","type":"text","description":"The description of this workspace.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the azure ML workspace.","operators":[]},{"name":"discovery_url","type":"text","description":"ARM id of the container registry associated with this workspace. This cannot be changed once the workspace has been created.","operators":[]},{"name":"encryption","type":"jsonb","description":"The encryption settings of Azure ML workspace.","operators":[]},{"name":"friendly_name","type":"text","description":"The friendly name for this workspace. This name in mutable.","operators":[]},{"name":"hbi_workspace","type":"boolean","description":"The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the resource.","operators":[]},{"name":"key_vault","type":"text","description":"ARM id of the key vault associated with this workspace, This cannot be changed once the workspace has been created.","operators":[]},{"name":"location","type":"text","description":"The location of the resource. This cannot be changed after the resource is created.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The current deployment state of workspace resource, The provisioningState is to indicate states for resource provisioning. Possible values include: 'Unknown', 'Updating', 'Creating', 'Deleting', 'Succeeded', 'Failed', 'Canceled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_provisioned_resource_group","type":"text","description":"The name of the managed resource group created by workspace RP in customer subscription if the workspace is CMK workspace.","operators":[]},{"name":"sku_name","type":"text","description":"Name of the sku.","operators":[]},{"name":"sku_tier","type":"text","description":"Tier of the sku like Basic or Enterprise.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account","type":"text","description":"ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"workspace_id","type":"text","description":"The immutable id associated with this workspace.","operators":[]}],"description":"Azure Machine Learning Workspace","queriesCount":1,"examplesCount":2,"readme":"$7a"},{"name":"azure_maintenance_configuration","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The timestamp of resource creation (UTC).","operators":[]},{"name":"created_by","type":"text","description":"The identity that created the resource.","operators":[]},{"name":"created_by_type","type":"text","description":"The type of identity that created the resource. Possible values include: 'CreatedByTypeUser', 'CreatedByTypeApplication', 'CreatedByTypeManagedIdentity', 'CreatedByTypeKey'.","operators":[]},{"name":"extension_properties","type":"jsonb","description":"Gets or sets extensionProperties of the maintenanceConfiguration.","operators":[]},{"name":"id","type":"text","description":"Fully qualified identifier of the resource.","operators":[]},{"name":"last_modified_at","type":"timestamp with time zone","description":"The timestamp of resource last modification (UTC).","operators":[]},{"name":"last_modified_by","type":"text","description":"The identity that last modified the resource.","operators":[]},{"name":"last_modified_by_type","type":"text","description":"The type of identity that last modified the resource. Possible values include: 'CreatedByTypeUser', 'CreatedByTypeApplication', 'CreatedByTypeManagedIdentity', 'CreatedByTypeKey'.","operators":[]},{"name":"maintenance_scope","type":"text","description":"The maintenanceScope of the configuration. Possible values include: 'ScopeHost', 'ScopeOSImage', 'ScopeExtension', 'ScopeInGuestPatch', 'ScopeSQLDB', 'ScopeSQLManagedInstance'.","operators":[]},{"name":"name","type":"text","description":"Name of the resource.","operators":["="]},{"name":"namespace","type":"text","description":"Gets or sets namespace of the resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"Azure Resource Manager metadata containing createdBy and modifiedBy information.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"visibility","type":"text","description":"The visibility of the configuration. The default value is 'Custom'. Possible values include: 'VisibilityCustom', 'VisibilityPublic'.","operators":[]},{"name":"window","type":"jsonb","description":"Definition of a MaintenanceWindow.","operators":[]}],"description":"Azure Maintenance Configuration.","queriesCount":0,"examplesCount":2,"readme":"$7b"},{"name":"azure_management_group","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"children","type":"jsonb","description":"The list of children of the management group.","operators":[]},{"name":"display_name","type":"text","description":"The friendly name of the management group.","operators":[]},{"name":"id","type":"text","description":"The fully qualified ID for the management group.","operators":[]},{"name":"name","type":"text","description":"The name of the management group.","operators":["="]},{"name":"parent","type":"jsonb","description":"The associated parent management group.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"tenant_id","type":"text","description":"The AAD Tenant ID associated with the management group.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the management group.","operators":[]},{"name":"updated_by","type":"text","description":"The identity of the principal or process that updated the management group.","operators":[]},{"name":"updated_time","type":"timestamp with time zone","description":"The date and time when this management group was last updated.","operators":[]},{"name":"version","type":"double precision","description":"The version number of the management group.","operators":[]}],"description":"Azure Management Group.","queriesCount":0,"examplesCount":2,"readme":"$7c"},{"name":"azure_management_lock","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a lock uniquely.","operators":[]},{"name":"lock_level","type":"text","description":"The level of the lock.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies management lock.","operators":["="]},{"name":"notes","type":"text","description":"Contains the notes about the lock.","operators":[]},{"name":"owners","type":"jsonb","description":"A list of owners of the lock.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"scope","type":"text","description":"Contains the scope of the lock.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the lock.","operators":[]}],"description":"Azure Management Lock","queriesCount":0,"examplesCount":2,"readme":"$7d"},{"name":"azure_mariadb_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"The administrator's login name of a server.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auto_grow_enabled","type":"text","description":"Indicates whether storage auto grow is enabled for server, or not.","operators":[]},{"name":"backup_retention_days","type":"bigint","description":"Specifies the backup retention days for the server.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"earliest_restore_date","type":"timestamp with time zone","description":"Specifies the earliest restore point creation time.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of a server.","operators":[]},{"name":"geo_redundant_backup_enabled","type":"text","description":"Indicates whether geo-redundant backup is enabled for server backup, or not.","operators":[]},{"name":"id","type":"text","description":"A fully qualified resource ID for the resource.","operators":[]},{"name":"master_service_id","type":"text","description":"The master server id of a replica server.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connections on a server.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public network access is allowed for this server. Valid values are: 'Enabled', 'Disabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_capacity","type":"bigint","description":"The maximum number of replicas that a master server can have.","operators":[]},{"name":"replication_role","type":"text","description":"The replication role of the server.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_capacity","type":"bigint","description":"The scale up/out capacity, representing server's compute units.","operators":[]},{"name":"sku_family","type":"text","description":"The family of hardware.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the sku.","operators":[]},{"name":"sku_size","type":"text","description":"The size code, to be interpreted by resource as appropriate.","operators":[]},{"name":"sku_tier","type":"text","description":"The tier of the particular SKU. Valid values are: 'Basic', 'GeneralPurpose', 'MemoryOptimized'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ssl_enforcement","type":"text","description":"Indicates whether SSL enforcement is enabled, or not. Valid values are: 'Enabled', and 'Disabled'.","operators":[]},{"name":"storage_mb","type":"bigint","description":"Specifies the max storage allowed for a server.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"user_visible_state","type":"text","description":"A state of a server that is visible to user. Valid values are: 'Ready', 'Dropping', 'Disabled'.","operators":[]},{"name":"version","type":"text","description":"Specifies the server version.","operators":[]}],"description":"Azure MariaDB Server","queriesCount":4,"examplesCount":3,"readme":"$7e"},{"name":"azure_monitor_activity_log_event","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"authorization_info","type":"jsonb","description":"The sender authorization information.","operators":[]},{"name":"caller","type":"text","description":"The email address of the user who has performed the operation, the UPN claim or SPN claim based on availability.","operators":[]},{"name":"category","type":"text","description":"The event category.","operators":[]},{"name":"claims","type":"jsonb","description":"Key value pairs to identify ARM permissions.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"correlation_id","type":"text","description":"The correlation ID, usually a GUID in the string format. The correlation ID is shared among the events that belong to the same Uber operation.","operators":["="]},{"name":"description","type":"text","description":"The description of the event.","operators":[]},{"name":"event_data_id","type":"text","description":"The event data ID. This is a unique identifier for an event.","operators":[]},{"name":"event_name","type":"text","description":"The event name. This value should not be confused with OperationName. For practical purposes, OperationName might be more appealing to end users.","operators":[]},{"name":"event_timestamp","type":"timestamp with time zone","description":"The timestamp of when the event was generated by the Azure service processing the request corresponding the event.","operators":["gt","lt","ge","le"]},{"name":"http_request","type":"jsonb","description":"The HTTP request info. Usually includes the 'clientRequestId', 'clientIpAddress' (IP address of the user who initiated the event) and 'method' (HTTP method e.g. PUT).","operators":[]},{"name":"id","type":"text","description":"The ID of this event as required by ARM for RBAC. It contains the EventDataID and a timestamp information.","operators":[]},{"name":"level","type":"text","description":"The event level. Possible values include: 'EventLevelCritical', 'EventLevelError', 'EventLevelWarning', 'EventLevelInformational', 'EventLevelVerbose'.","operators":[]},{"name":"operation_id","type":"text","description":"It is usually a GUID shared among the events corresponding to single operation. This value should not be confused with EventName.","operators":[]},{"name":"operation_name","type":"text","description":"The operation name.","operators":[]},{"name":"properties","type":"jsonb","description":"The set of pairs (usually a Dictionary) that includes details about the event.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_id","type":"text","description":"The resource URI that uniquely identifies the resource that caused this event.","operators":["="]},{"name":"resource_provider_name","type":"text","description":"The resource provider name of the impacted resource.","operators":["="]},{"name":"resource_type","type":"text","description":"The resource type.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"A string describing the status of the operation. Some typical values are: Started, In progress, Succeeded, Failed, Resolved.","operators":[]},{"name":"sub_status","type":"text","description":"The event sub status. Most of the time, when included, this captures the HTTP status code of the REST call. Common values are: OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request(HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code:503), Gateway Timeout (HTTP Status Code: 504).","operators":[]},{"name":"submission_timestamp","type":"timestamp with time zone","description":"The timestamp of when the event became available for querying via this API.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Monitor Activity Log Event","queriesCount":0,"examplesCount":8,"readme":"$7f"},{"name":"azure_monitor_log_profile","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"text","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"categories","type":"jsonb","description":"The categories of the logs. These categories are created as is convenient to the user.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Azure resource Id.","operators":[]},{"name":"location","type":"text","description":"The resource location.","operators":[]},{"name":"locations","type":"jsonb","description":"List of regions for which Activity Log events should be stored or streamed. It is a comma separated list of valid ARM locations including the 'global' location.","operators":[]},{"name":"name","type":"text","description":"Azure resource name.","operators":["="]},{"name":"retention_policy","type":"jsonb","description":"The retention policy for the events in the log.","operators":[]},{"name":"service_bus_rule_id","type":"text","description":"The service bus rule ID of the service bus namespace in which you would like to have Event Hubs created for streaming the Activity Log.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_id","type":"text","description":"The resource id of the storage account to which you would like to send the Activity Log.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Azure resource type.","operators":[]}],"description":"Azure Monitor Log Profile","queriesCount":0,"examplesCount":4,"readme":"$80"},{"name":"azure_mssql_elasticpool","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_date","type":"timestamp with time zone","description":"The creation date of the elastic pool.","operators":[]},{"name":"database_dtu_max","type":"bigint","description":"The maximum DTU any one database can consume.","operators":[]},{"name":"database_dtu_min","type":"bigint","description":"The minimum DTU all databases are guaranteed.","operators":[]},{"name":"dtu","type":"bigint","description":"The total shared DTU for the database elastic pool.","operators":[]},{"name":"edition","type":"text","description":"The edition of the elastic pool.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a elastic pool uniquely.","operators":[]},{"name":"kind","type":"text","description":"The kind of elastic pool.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the elastic pool.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_name","type":"text","description":"The name of the parent server of the elastic pool.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the elastic pool.","operators":[]},{"name":"storage_mb","type":"bigint","description":"Storage limit for the database elastic pool in MB.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the elastic pool.","operators":[]},{"name":"zone_redundant","type":"boolean","description":"Whether or not this database elastic pool is zone redundant, which means the replicas of this database will be spread across multiple availability zones.","operators":[]}],"description":"Azure Microsoft SQL Elastic Pool","queriesCount":0,"examplesCount":1,"readme":"$81"},{"name":"azure_mssql_managed_instance","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"Administrator username for the managed instance.","operators":[]},{"name":"administrator_login_password","type":"text","description":"Administrator password for the managed instance.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"collation","type":"text","description":"Collation of the managed instance.","operators":[]},{"name":"dns_zone","type":"text","description":"The Dns zone that the managed instance is in.","operators":[]},{"name":"dns_zone_partner","type":"text","description":"The resource id of another managed instance whose DNS zone this managed instance will share after creation.","operators":[]},{"name":"encryption_protectors","type":"jsonb","description":"The managed instance encryption protectors.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of the managed instance.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a managed instance uniquely.","operators":[]},{"name":"identity","type":"jsonb","description":"The azure active directory identity of the managed instance.","operators":[]},{"name":"instance_pool_id","type":"text","description":"The Id of the instance pool this managed server belongs to.","operators":[]},{"name":"license_type","type":"text","description":"The license type of the managed instance.","operators":[]},{"name":"maintenance_configuration_id","type":"text","description":"Specifies maintenance configuration id to apply to this managed instance.","operators":[]},{"name":"managed_instance_create_mode","type":"text","description":"Specifies the mode of database creation.","operators":[]},{"name":"minimal_tls_version","type":"text","description":"Minimal TLS version of the managed instance.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the managed instance.","operators":["="]},{"name":"proxy_override","type":"text","description":"Connection type used for connecting to the instance.","operators":[]},{"name":"public_data_endpoint_enabled","type":"boolean","description":"Whether or not the public data endpoint is enabled.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_point_in_time","type":"timestamp with time zone","description":"Specifies the point in time of the source database that will be restored to create the new database.","operators":[]},{"name":"security_alert_policies","type":"jsonb","description":"The security alert policies of the managed instance.","operators":[]},{"name":"sku","type":"jsonb","description":"Managed instance SKU.","operators":[]},{"name":"source_managed_instance_id","type":"text","description":"The resource identifier of the source managed instance associated with create operation of this instance.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the managed instance.","operators":[]},{"name":"storage_size_in_gb","type":"bigint","description":"The managed instance storage size in GB.","operators":[]},{"name":"subnet_id","type":"text","description":"Subnet resource ID for the managed instance.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"timezone_id","type":"text","description":"Id of the timezone.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the managed instance.","operators":[]},{"name":"v_cores","type":"bigint","description":"The number of vcores of the managed instance.","operators":[]},{"name":"vulnerability_assessments","type":"jsonb","description":"The managed instance vulnerability assessments.","operators":[]}],"description":"Azure Microsoft SQL Managed Instance","queriesCount":2,"examplesCount":2,"readme":"$82"},{"name":"azure_mssql_virtual_machine","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auto_backup_settings","type":"jsonb","description":"Auto backup settings for SQL Server.","operators":[]},{"name":"auto_patching_settings","type":"jsonb","description":"Auto patching settings for applying critical security updates to SQL virtual machine.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource ID.","operators":[]},{"name":"identity","type":"jsonb","description":"Azure Active Directory identity for the SQL virtual machine.","operators":[]},{"name":"key_vault_credential_settings","type":"jsonb","description":"Key vault credential settings for the SQL virtual machine.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"provisioning_state","type":"text","description":"Provisioning state to track the async operation status.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_configurations_management_settings","type":"jsonb","description":"SQL server configuration management settings for the SQL virtual machine.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"sql_image_offer","type":"text","description":"SQL image offer for the SQL virtual machine.","operators":[]},{"name":"sql_image_sku","type":"text","description":"SQL Server edition type. Possible values include: 'Developer', 'Express', 'Standard', 'Enterprise', 'Web'.","operators":[]},{"name":"sql_management","type":"text","description":"SQL Server Management type. Possible values include: 'Full', 'LightWeight', 'NoAgent'.","operators":[]},{"name":"sql_server_license_type","type":"text","description":"SQL server license type for the SQL virtual machine. Possible values include: 'PAYG', 'AHUB', 'DR'.","operators":[]},{"name":"sql_virtual_machine_group_resource_id","type":"text","description":"ARM resource id of the SQL virtual machine group this SQL virtual machine is or will be part of.","operators":[]},{"name":"storage_configuration_settings","type":"jsonb","description":"Storage configuration settings for the SQL virtual machine.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"virtual_machine_resource_id","type":"text","description":"ARM resource id of underlying virtual machine created from SQL marketplace image.","operators":[]},{"name":"wsfc_domain_credentials","type":"jsonb","description":"Domain credentials for setting up Windows Server Failover Cluster for SQL availability group.","operators":[]}],"description":"Azure MS SQL Virtual Machine","queriesCount":0,"examplesCount":1,"readme":"$83"},{"name":"azure_mysql_flexible_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"The administrator's login name of a server.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"availability_zone","type":"text","description":"Availability Zone information of the server.","operators":[]},{"name":"backup_retention_days","type":"bigint","description":"Backup retention days for the server.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_mode","type":"text","description":"The mode to create a new server.","operators":[]},{"name":"earliest_restore_date","type":"timestamp with time zone","description":"Specifies the earliest restore point creation time.","operators":[]},{"name":"flexible_server_configurations","type":"jsonb","description":"The server configurations(parameters) details of the server.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of the server.","operators":[]},{"name":"geo_redundant_backup","type":"text","description":"Indicates whether Geo-redundant is enabled, or not for server backup.","operators":[]},{"name":"high_availability","type":"jsonb","description":"High availability related properties of a server.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a server uniquely.","operators":[]},{"name":"location","type":"text","description":"The server location.","operators":[]},{"name":"maintenance_window","type":"jsonb","description":"Maintenance window of a server.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the server.","operators":["="]},{"name":"network","type":"jsonb","description":"Network related properties of a server.","operators":[]},{"name":"public_network_access","type":"text","description":"Whether or not public network access is allowed for this server.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_capacity","type":"bigint","description":"The maximum number of replicas that a primary server can have.","operators":[]},{"name":"replication_role","type":"text","description":"The replication role of the server.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_point_in_time","type":"timestamp with time zone","description":"Restore point creation time (ISO8601 format), specifying the time to restore from.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the sku.","operators":[]},{"name":"sku_tier","type":"text","description":"The tier of the particular SKU.","operators":[]},{"name":"source_server_resource_id","type":"text","description":"The source MySQL server id.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the server.","operators":[]},{"name":"storage_auto_grow","type":"text","description":"Indicates whether storage auto grow is enabled, or not.","operators":[]},{"name":"storage_iops","type":"bigint","description":"Storage IOPS for a server.","operators":[]},{"name":"storage_size_gb","type":"bigint","description":"Indicates max storage allowed for a server.","operators":[]},{"name":"storage_sku","type":"text","description":"The sku name of the server storage.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"The system metadata relating to this server.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the server.","operators":[]},{"name":"version","type":"text","description":"Specifies the version of the server.","operators":[]}],"description":"Azure MySQL Flexible Server","queriesCount":4,"examplesCount":7,"readme":"$84"},{"name":"azure_mysql_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"Specifies the username of the administrator for this server.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backup_retention_days","type":"bigint","description":"Backup retention days for the server.","operators":[]},{"name":"byok_enforcement","type":"text","description":"Status showing whether the server data encryption is enabled with customer-managed keys.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"earliest_restore_date","type":"timestamp with time zone","description":"Specifies the earliest restore point creation time.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of the server.","operators":[]},{"name":"geo_redundant_backup","type":"text","description":"Indicates whether Geo-redundant is enabled, or not for server backup.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a server uniquely.","operators":[]},{"name":"infrastructure_encryption","type":"text","description":"Status showing whether the server enabled infrastructure encryption. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"location","type":"text","description":"The resource location.","operators":[]},{"name":"master_server_id","type":"text","description":"The master server id of a replica server.","operators":[]},{"name":"minimal_tls_version","type":"text","description":"Enforce a minimal Tls version for the server. Possible values include: 'TLS10', 'TLS11', 'TLS12', 'TLSEnforcementDisabled'.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the server.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connections on a server.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public network access is allowed for this server. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_capacity","type":"bigint","description":"The maximum number of replicas that a master server can have.","operators":[]},{"name":"replication_role","type":"text","description":"The replication role of the server.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_configurations","type":"jsonb","description":"The server configurations(parameters) details of the server.","operators":[]},{"name":"server_keys","type":"jsonb","description":"The server keys of the server.","operators":[]},{"name":"server_security_alert_policy","type":"jsonb","description":"Security alert policy associated with the MySQL Server.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"The scale up/out capacity, representing server's compute units.","operators":[]},{"name":"sku_family","type":"text","description":"The family of hardware.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the sku. For example: 'B_Gen4_1', 'GP_Gen5_8'.","operators":[]},{"name":"sku_size","type":"text","description":"The size code, to be interpreted by resource as appropriate.","operators":[]},{"name":"sku_tier","type":"text","description":"The tier of the particular SKU. Possible values include: 'Basic', 'GeneralPurpose', 'MemoryOptimized'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ssl_enforcement","type":"text","description":"Enable ssl enforcement or not when connect to server. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"state","type":"text","description":"The state of the server.","operators":[]},{"name":"storage_auto_grow","type":"text","description":"Indicates whether storage auto grow is enabled, or not.","operators":[]},{"name":"storage_mb","type":"bigint","description":"Indicates max storage allowed for a server.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the server.","operators":[]},{"name":"user_visible_state","type":"text","description":"A state of a server that is visible to user. Possible values include: 'Ready', 'Dropping', 'Disabled', 'Inaccessible'.","operators":[]},{"name":"version","type":"text","description":"Specifies the version of the server.","operators":[]},{"name":"vnet_rules","type":"jsonb","description":"Rules represented by VNET.","operators":[]}],"description":"Azure MySQL Server","queriesCount":10,"examplesCount":13,"readme":"$85"},{"name":"azure_nat_gateway","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a nat gateway uniquely.","operators":[]},{"name":"idle_timeout_in_minutes","type":"bigint","description":"The idle timeout of the nat gateway.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the nat gateway.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the nat gateway resource.","operators":[]},{"name":"public_ip_addresses","type":"jsonb","description":"An array of public ip addresses associated with the nat gateway resource.","operators":[]},{"name":"public_ip_prefixes","type":"jsonb","description":"An array of public ip prefixes associated with the nat gateway resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The provisioning state of the nat gateway resource.","operators":[]},{"name":"sku_name","type":"text","description":"The nat gateway SKU.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnets","type":"jsonb","description":"An array of references to the subnets using this nat gateway resource.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the nat gateway.","operators":[]},{"name":"zones","type":"jsonb","description":"A list of availability zones denoting the zone in which Nat Gateway should be deployed.","operators":[]}],"description":"Azure NAT Gateway","queriesCount":0,"examplesCount":2,"readme":"$86"},{"name":"azure_network_interface","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"applied_dns_servers","type":"jsonb","description":"A list of applied dns servers.","operators":[]},{"name":"auxiliary_mode","type":"text","description":"Auxiliary mode of network interface resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"disable_tcp_state_tracking","type":"boolean","description":"Indicates whether to disable TCP state tracking.","operators":[]},{"name":"dns_servers","type":"jsonb","description":"A collection of DNS servers IP addresses.","operators":[]},{"name":"dscp_configuration","type":"jsonb","description":"A reference to the DSCP configuration to which the network interface is linked.","operators":[]},{"name":"enable_accelerated_networking","type":"boolean","description":"Indicates whether the network interface is accelerated networking enabled.","operators":[]},{"name":"enable_ip_forwarding","type":"boolean","description":"Indicates whether IP forwarding is enabled on this network interface.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"hosted_workloads","type":"jsonb","description":"A collection of references to linked BareMetal resources.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a network interface uniquely.","operators":[]},{"name":"internal_dns_name_label","type":"text","description":"Relative DNS name for this NIC used for internal communications between VMs in the same virtual network.","operators":[]},{"name":"internal_domain_name_suffix","type":"text","description":"Contains domain name suffix for the network interface.","operators":[]},{"name":"internal_fqdn","type":"text","description":"Fully qualified DNS name supporting internal communications between VMs in the same virtual network.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"A list of IPConfigurations of the network interface.","operators":[]},{"name":"is_primary","type":"boolean","description":"Indicates whether this is a primary network interface on a virtual machine.","operators":[]},{"name":"mac_address","type":"text","description":"The MAC address of the network interface.","operators":[]},{"name":"migration_phase","type":"text","description":"Migration phase of network interface resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the network interface.","operators":["="]},{"name":"network_security_group_id","type":"text","description":"The reference to the NetworkSecurityGroup resource.","operators":[]},{"name":"nic_type","type":"text","description":"Type of network interface resource (e.g., Standard, Elastic).","operators":[]},{"name":"private_endpoint","type":"jsonb","description":"A reference to the private endpoint to which the network interface is linked.","operators":[]},{"name":"private_link_service","type":"jsonb","description":"Private link service of the network interface resource.","operators":[]},{"name":"provisioning_state","type":"text","description":"Providsioning state of the network interface resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the network interface resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tap_configurations","type":"jsonb","description":"A collection of TapConfigurations of the network interface.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the network interface.","operators":[]},{"name":"virtual_machine_id","type":"text","description":"The reference to a virtual machine.","operators":[]},{"name":"vnet_encryption_supported","type":"boolean","description":"Whether the virtual machine this NIC is attached to supports encryption.","operators":[]},{"name":"workload_type","type":"text","description":"Workload type of the network interface for BareMetal resources.","operators":[]}],"description":"Azure Network Interface","queriesCount":3,"examplesCount":3,"readme":"$87"},{"name":"azure_network_security_group","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"default_security_rules","type":"jsonb","description":"A list of default security rules of network security group.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the network security group.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"flow_logs","type":"jsonb","description":"A collection of references to flow log resources.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a network security group uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the network security group.","operators":["="]},{"name":"network_interfaces","type":"jsonb","description":"A collection of references to network interfaces.","operators":[]},{"name":"provisioning_state","type":"text","description":"The resource type of the network security group.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the network security group resource.","operators":[]},{"name":"security_rules","type":"jsonb","description":"A list of security rules of network security group.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnets","type":"jsonb","description":"A collection of references to subnets.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the network security group.","operators":[]}],"description":"Azure Network Security Group","queriesCount":31,"examplesCount":3,"readme":"$88"},{"name":"azure_network_watcher","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a network watcher uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the network watcher","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the network watcher resource","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the network watcher","operators":[]}],"description":"Azure Network Watcher","queriesCount":2,"examplesCount":2,"readme":"$89"},{"name":"azure_network_watcher_flow_log","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enabled","type":"boolean","description":"Indicates whether the flow log is enabled, or not.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"file_type","type":"text","description":"The file type of flow log. Possible values include: 'JSON'.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a flow log uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the flow log.","operators":["="]},{"name":"network_watcher_name","type":"text","description":"The friendly name that identifies the network watcher.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the flow log.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"retention_policy_days","type":"bigint","description":"Specifies the number of days to retain flow log records.","operators":[]},{"name":"retention_policy_enabled","type":"boolean","description":"Indicates whether flow log retention is enabled, or not.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_id","type":"text","description":"The ID of the storage account which is used to store the flow log.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"target_resource_guid","type":"text","description":"The Guid of network security group to which flow log will be applied.","operators":[]},{"name":"target_resource_id","type":"text","description":"The ID of network security group to which flow log will be applied.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"traffic_analytics","type":"jsonb","description":"Defines the configuration of flow log traffic analytics.","operators":[]},{"name":"type","type":"text","description":"The resource type of the flow log.","operators":[]},{"name":"version","type":"bigint","description":"The version (revision) of the flow log.","operators":[]}],"description":"Azure Network Watcher FlowLog","queriesCount":3,"examplesCount":3,"readme":"$8a"},{"name":"azure_policy_assignment","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"description","type":"text","description":"This message will be part of response in case of policy violation.","operators":[]},{"name":"display_name","type":"text","description":"The display name of the policy assignment.","operators":[]},{"name":"enforcement_mode","type":"text","description":"The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.","operators":[]},{"name":"id","type":"text","description":"The ID of the policy assignment.","operators":["="]},{"name":"identity","type":"jsonb","description":"The managed identity associated with the policy assignment.","operators":[]},{"name":"metadata","type":"jsonb","description":"The policy assignment metadata.","operators":[]},{"name":"name","type":"text","description":"The name of the policy assignment.","operators":[]},{"name":"not_scopes","type":"jsonb","description":"The policy's excluded scopes.","operators":[]},{"name":"parameters","type":"jsonb","description":"The parameter values for the assigned policy rule.","operators":[]},{"name":"policy_definition_id","type":"text","description":"The ID of the policy definition or policy set definition being assigned.","operators":[]},{"name":"scope","type":"text","description":"The scope for the policy assignment.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the policy sku.","operators":[]},{"name":"sku_tier","type":"text","description":"The policy sku tier.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the policy assignment.","operators":[]}],"description":"Azure Policy Assignment","queriesCount":1,"examplesCount":2,"readme":"$8b"},{"name":"azure_policy_definition","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"description","type":"text","description":"The policy definition description.","operators":[]},{"name":"display_name","type":"text","description":"The user-friendly display name of the policy definition.","operators":[]},{"name":"id","type":"text","description":"The ID of the policy definition.","operators":[]},{"name":"metadata","type":"jsonb","description":"The policy definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.","operators":[]},{"name":"mode","type":"text","description":"The policy definition mode. Some examples are All, Indexed, Microsoft.KeyVault.Data.","operators":[]},{"name":"name","type":"text","description":"The name of the policy definition.","operators":[]},{"name":"parameters","type":"jsonb","description":"The parameter definitions for parameters used in the policy rule. The keys are the parameter names.","operators":[]},{"name":"policy_rule","type":"jsonb","description":"The policy rule.","operators":[]},{"name":"policy_type","type":"text","description":"The type of policy definition. Possible values are NotSpecified, BuiltIn, Custom, and Static. Possible values include: 'NotSpecified', 'BuiltIn', 'Custom', 'Static'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource (Microsoft.Authorization/policyDefinitions).","operators":[]}],"description":"Azure Policy Definition","queriesCount":0,"examplesCount":1,"readme":"$8c"},{"name":"azure_postgresql_flexible_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"The administrator's login name of a server. Can only be specified when the server is being created (and is required for creation).","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auth_config","type":"jsonb","description":"AuthConfig properties of a server.","operators":[]},{"name":"availability_zone","type":"text","description":"Availability zone information of the server.","operators":[]},{"name":"backup","type":"jsonb","description":"Backup properties of a server.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"create_mode","type":"text","description":"The mode to create a new PostgreSQL server.","operators":[]},{"name":"data_encryption","type":"jsonb","description":"Data encryption properties of a server.","operators":[]},{"name":"firewall_rules","type":"jsonb","description":"The list of firewall rules in a server.","operators":[]},{"name":"flexible_server_configurations","type":"jsonb","description":"The server configurations(parameters) details of the server.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of a server.","operators":[]},{"name":"high_availability","type":"jsonb","description":"High availability properties of a server.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"location","type":"text","description":"The geo-location where the resource lives.","operators":[]},{"name":"maintenance_window","type":"jsonb","description":"Maintenance window properties of a server.","operators":[]},{"name":"minor_version","type":"text","description":"The minor version of the server.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network","type":"jsonb","description":"Network properties of a server.","operators":[]},{"name":"point_in_time_utc","type":"timestamp with time zone","description":"Restore point creation time (ISO8601 format), specifying the time to restore from. It's required when 'createMode' is 'PointInTimeRestore' or 'GeoRestore'.","operators":[]},{"name":"public_network_access","type":"text","description":"Public network access is enabled or not.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_capacity","type":"bigint","description":"Replicas allowed for a server.","operators":[]},{"name":"replication_role","type":"text","description":"Replication role of the server.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_properties","type":"jsonb","description":"Properties of the server.","operators":[]},{"name":"sku","type":"jsonb","description":"The SKU (pricing tier) of the server.","operators":[]},{"name":"source_server_resource_id","type":"text","description":"The source server resource ID to restore from. It's required when 'createMode' is 'PointInTimeRestore' or 'GeoRestore' or 'Replica'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"A state of a server that is visible to user.","operators":[]},{"name":"storage","type":"jsonb","description":"Storage properties of a server.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"system_data","type":"jsonb","description":"The system metadata relating to this server.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"version","type":"text","description":"PostgreSQL Server version.","operators":[]}],"description":"Azure PostgreSQL Flexible Server","queriesCount":5,"examplesCount":3,"readme":"$8d"},{"name":"azure_postgresql_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"Specifies the username of the administrator for this server.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"backup_retention_days","type":"bigint","description":"Backup retention days for the server.","operators":[]},{"name":"byok_enforcement","type":"text","description":"Status showing whether the server data encryption is enabled with customer-managed keys.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"earliest_restore_date","type":"timestamp with time zone","description":"Specifies the earliest restore point creation time.","operators":[]},{"name":"firewall_rules","type":"jsonb","description":"A list of firewall rules for a server.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of the server.","operators":[]},{"name":"geo_redundant_backup","type":"text","description":"Indicates whether Geo-redundant is enabled, or not for server backup.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a server uniquely.","operators":[]},{"name":"infrastructure_encryption","type":"text","description":"Status showing whether the server enabled infrastructure encryption. Possible values include: 'InfrastructureEncryptionEnabled', 'InfrastructureEncryptionDisabled'.","operators":[]},{"name":"location","type":"text","description":"The resource location.","operators":[]},{"name":"master_server_id","type":"text","description":"The master server id of a replica server.","operators":[]},{"name":"minimal_tls_version","type":"text","description":"Enforce a minimal Tls version for the server. Possible values include: 'TLS10', 'TLS11', 'TLS12', 'TLSEnforcementDisabled'.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the server.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connections on a server.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public network access is allowed for this server. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. Possible values include: 'PublicNetworkAccessEnumEnabled', 'PublicNetworkAccessEnumDisabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_capacity","type":"bigint","description":"The maximum number of replicas that a master server can have.","operators":[]},{"name":"replication_role","type":"text","description":"The replication role of the server.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_administrators","type":"jsonb","description":"A list of server administrators.","operators":[]},{"name":"server_configurations","type":"jsonb","description":"A list of configurations for a server.","operators":[]},{"name":"server_keys","type":"jsonb","description":"A list of server keys for a server.","operators":[]},{"name":"server_security_alert_policy","type":"jsonb","description":"Server security alert policy associated with the PostgreSQL Server.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"The scale up/out capacity, representing server's compute units.","operators":[]},{"name":"sku_family","type":"text","description":"The family of hardware.","operators":[]},{"name":"sku_name","type":"text","description":"The name of the sku. For example: 'B_Gen4_1', 'GP_Gen5_8'.","operators":[]},{"name":"sku_size","type":"text","description":"The size code, to be interpreted by resource as appropriate.","operators":[]},{"name":"sku_tier","type":"text","description":"The tier of the particular SKU. Possible values include: 'Basic', 'GeneralPurpose', 'MemoryOptimized'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ssl_enforcement","type":"text","description":"Enable ssl enforcement or not when connect to server. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"storage_auto_grow","type":"text","description":"Indicates whether storage auto grow is enabled, or not.","operators":[]},{"name":"storage_mb","type":"bigint","description":"Indicates max storage allowed for a server.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the SQL server.","operators":[]},{"name":"user_visible_state","type":"text","description":"A state of a server that is visible to user. Possible values include: 'ServerStateReady', 'ServerStateDropping', 'ServerStateDisabled', 'ServerStateInaccessible'.","operators":[]},{"name":"version","type":"text","description":"Specifies the version of the server.","operators":[]}],"description":"Azure PostgreSQL Server","queriesCount":14,"examplesCount":6,"readme":"$8e"},{"name":"azure_private_dns_zone","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a Private DNS zone uniquely.","operators":[]},{"name":"max_number_of_record_sets","type":"bigint","description":"The maximum number of record sets that can be created in this Private DNS zone.","operators":[]},{"name":"max_number_of_virtual_network_links","type":"bigint","description":"The maximum number of virtual networks that can be linked to this Private DNS zone.","operators":[]},{"name":"max_number_of_virtual_network_links_with_registration","type":"bigint","description":"The maximum number of virtual networks that can be linked to this Private DNS zone with registration enabled.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the Private DNS zone.","operators":["="]},{"name":"number_of_record_sets","type":"bigint","description":"The current number of record sets in this Private DNS zone.","operators":[]},{"name":"number_of_virtual_network_links","type":"bigint","description":"The current number of virtual networks that are linked to this Private DNS zone.","operators":[]},{"name":"number_of_virtual_network_links_with_registration","type":"bigint","description":"The current number of virtual networks that are linked to this Private DNS zone with registration enabled.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the resource. Possible values include: `Creating`, `Updating`, `Deleting`, `Succeeded`, `Failed`, `Canceled`.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the Private DNS zone.","operators":[]}],"description":"Azure Private DNS Zone","queriesCount":0,"examplesCount":2,"readme":"$8f"},{"name":"azure_private_endpoint","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"application_security_groups","type":"jsonb","description":"Application security groups in which the private endpoint IP configuration is included.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"custom_dns_configs","type":"jsonb","description":"An array of custom DNS configurations.","operators":[]},{"name":"custom_network_interface_name","type":"text","description":"The custom name of the network interface attached to the private endpoint.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"extended_location","type":"jsonb","description":"The extended location of the private endpoint.","operators":[]},{"name":"id","type":"text","description":"The ID of the private endpoint.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"A list of IP configurations of the private endpoint.","operators":[]},{"name":"location","type":"text","description":"The location of the private endpoint.","operators":[]},{"name":"manual_private_link_service_connections","type":"jsonb","description":"A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource.","operators":[]},{"name":"name","type":"text","description":"The name of the private endpoint.","operators":["="]},{"name":"network_interfaces","type":"jsonb","description":"An array of references to the network interfaces created for this private endpoint.","operators":[]},{"name":"private_link_service_connections","type":"jsonb","description":"A grouping of information about the connection to the remote resource.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the private endpoint resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region where the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group in which the resource is located.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnet","type":"text","description":"The ID of the subnet from which the private IP will be allocated.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"Tags associated with the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the private endpoint.","operators":[]}],"description":"Azure Private Endpoint","queriesCount":0,"examplesCount":5,"readme":"$90"},{"name":"azure_provider","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a resource provider uniquely.","operators":[]},{"name":"namespace","type":"text","description":"The friendly name that identifies the resource provider.","operators":["="]},{"name":"registration_state","type":"text","description":"Contains the current registration state of the resource provider.","operators":[]},{"name":"resource_types","type":"jsonb","description":"A list of provider resource types.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Provider","queriesCount":0,"examplesCount":1,"readme":"$91"},{"name":"azure_public_ip","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"ddos_custom_policy_id","type":"text","description":"The DDoS custom policy associated with the public IP","operators":[]},{"name":"ddos_settings_protected_ip","type":"boolean","description":"Indicates whether DDoS protection is enabled on the public IP, or not","operators":[]},{"name":"ddos_settings_protection_coverage","type":"text","description":"The DDoS protection policy customizability of the public IP","operators":[]},{"name":"dns_settings_domain_name_label","type":"text","description":"Contains the domain name label","operators":[]},{"name":"dns_settings_fqdn","type":"text","description":"The Fully Qualified Domain Name of the A DNS record associated with the public IP","operators":[]},{"name":"dns_settings_reverse_fqdn","type":"text","description":"Contains the reverse FQDN","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a public ip uniquely","operators":[]},{"name":"idle_timeout_in_minutes","type":"bigint","description":"The idle timeout of the public IP address","operators":[]},{"name":"ip_address","type":"inet","description":"The IP address associated with the public IP address resource","operators":[]},{"name":"ip_configuration","type":"jsonb","description":"The IP configuration associated with the public IP address.","operators":[]},{"name":"ip_configuration_id","type":"text","description":"Contains the IP configuration ID","operators":[]},{"name":"ip_tags","type":"jsonb","description":"A list of tags associated with the public IP address","operators":[]},{"name":"linked_public_ip_address","type":"jsonb","description":"The linked public IP address of the public IP address resource.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the public ip","operators":["="]},{"name":"nat_gateway","type":"jsonb","description":"The NatGateway for the Public IP address.","operators":[]},{"name":"provisioning_state","type":"text","description":"The resource type of the public ip","operators":[]},{"name":"public_ip_address_version","type":"text","description":"Contains the public IP address version","operators":[]},{"name":"public_ip_allocation_method","type":"text","description":"Contains the public IP address allocation method","operators":[]},{"name":"public_ip_prefix_id","type":"text","description":"The Public IP Prefix this Public IP Address should be allocated from","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the public ip resource","operators":[]},{"name":"service_public_ip_address","type":"jsonb","description":"The service public IP address of the public IP address resource.","operators":[]},{"name":"sku_name","type":"text","description":"Name of a public IP address SKU","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the public ip","operators":[]},{"name":"zones","type":"jsonb","description":"A collection of availability zones denoting the IP allocated for the resource needs to come from","operators":[]}],"description":"Azure Public IP","queriesCount":1,"examplesCount":3,"readme":"$92"},{"name":"azure_recovery_services_backup_job","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"etag","type":"text","description":"Optional ETag.","operators":[]},{"name":"id","type":"text","description":"Resource ID represents the complete path to the resource.","operators":[]},{"name":"name","type":"text","description":"Resource name associated with the resource.","operators":[]},{"name":"properties","type":"jsonb","description":"JobResource properties.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Resource type represents the complete path of the form Namespace/ResourceType/ResourceType/...","operators":[]},{"name":"vault_name","type":"text","description":"The recovery vault name.","operators":["="]}],"description":"Azure Recovery Services Backup Job","queriesCount":0,"examplesCount":1,"readme":"$93"},{"name":"azure_recovery_services_vault","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the recovery services vault.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"identity","type":"jsonb","description":"Managed service identity of the recovery services vault.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connections of the recovery services vault.","operators":[]},{"name":"private_endpoint_state_for_backup","type":"text","description":"Private endpoint state for backup of the recovery services vault.","operators":[]},{"name":"private_endpoint_state_for_site_recovery","type":"text","description":"Private endpoint state for site recovery of the recovery services vault.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the recovery services vault.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"The sku name of the recovery services vault.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"upgrade_details","type":"jsonb","description":"Upgrade details properties of the recovery services vault.","operators":[]}],"description":"Azure Recovery Services Vault","queriesCount":3,"examplesCount":1,"readme":"$94"},{"name":"azure_redis_cache","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_keys","type":"jsonb","description":"The keys of the Redis cache.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enable_non_ssl_port","type":"boolean","description":"Specifies whether the non-ssl Redis server port (6379) is enabled.","operators":[]},{"name":"host_name","type":"text","description":"Specifies the name of the redis host.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"instances","type":"jsonb","description":"A list of the Redis instances associated with the cache.","operators":[]},{"name":"linked_servers","type":"jsonb","description":"A list of the linked servers associated with the cache.","operators":[]},{"name":"minimum_tls_version","type":"text","description":"Specifies the TLS version requires to connect.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"port","type":"bigint","description":"Specifies the redis non-SSL port.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connection associated with the specified redis cache.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the redis instance at the time the operation was called. Valid values are: 'Creating', 'Deleting', 'Disabled', 'Failed', 'Linking', 'Provisioning', 'RecoveringScaleFailure', 'Scaling', 'Succeeded', 'Unlinking', 'Unprovisioning', and 'Updating'.","operators":[]},{"name":"public_network_access","type":"text","description":"Indicates whether or not public endpoint access is allowed for this cache. Valid values are: 'Enabled', 'Disabled'.","operators":[]},{"name":"redis_configuration","type":"jsonb","description":"Describes the redis cache configuration.","operators":[]},{"name":"redis_version","type":"text","description":"Specifies the version.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replicas_per_master","type":"bigint","description":"The number of replicas to be created per master.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"shard_count","type":"bigint","description":"The number of shards to be created on a premium cluster cache.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"The size of the Redis cache to deploy.","operators":[]},{"name":"sku_family","type":"text","description":"The SKU family to use.","operators":[]},{"name":"sku_name","type":"text","description":"The type of Redis cache to deploy.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"ssl_port","type":"bigint","description":"Specifies the redis SSL port.","operators":[]},{"name":"static_ip","type":"inet","description":"Specifies the statis IP address. Required when deploying a Redis cache inside an existing Azure Virtual Network.","operators":[]},{"name":"subnet_id","type":"text","description":"The full resource ID of a subnet in a virtual network to deploy the Redis cache in.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tenant_settings","type":"jsonb","description":"A dictionary of tenant settings.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"zones","type":"jsonb","description":"A list of availability zones denoting where the resource needs to come from.","operators":[]}],"description":"Azure Redis Cache","queriesCount":5,"examplesCount":3,"readme":"$95"},{"name":"azure_resource","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"changed_time","type":"timestamp with time zone","description":"The changed time of the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_time","type":"timestamp with time zone","description":"The created time of the resource.","operators":[]},{"name":"extended_location","type":"jsonb","description":"Resource extended location.","operators":[]},{"name":"filter","type":"text","description":"The filter to apply on the operation.","operators":["="]},{"name":"id","type":"text","description":"Resource ID.","operators":["="]},{"name":"identity","type":"jsonb","description":"The identity of the resource.","operators":[]},{"name":"identity_principal_id","type":"text","description":"The principal ID of resource identity.","operators":["=","!="]},{"name":"kind","type":"text","description":"The kind of the resource.","operators":[]},{"name":"managed_by","type":"text","description":"ID of the resource that manages this resource.","operators":[]},{"name":"name","type":"text","description":"Resource name.","operators":["=","!="]},{"name":"plan_name","type":"text","description":"The plan ID.","operators":["=","!="]},{"name":"plan_product","type":"text","description":"The plan offer ID.","operators":["=","!="]},{"name":"plan_promotion_code","type":"text","description":"The plan promotion code.","operators":["=","!="]},{"name":"plan_publisher","type":"text","description":"The plan publisher ID.","operators":["=","!="]},{"name":"plan_version","type":"text","description":"The plan's version.","operators":["=","!="]},{"name":"properties","type":"jsonb","description":"The resource properties.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":["=","!="]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["=","!="]},{"name":"sku","type":"jsonb","description":"The SKU of the resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Resource type.","operators":["=","!="]}],"description":"Azure Resource","queriesCount":0,"examplesCount":4,"readme":"$96"},{"name":"azure_resource_group","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a resource group uniquely.","operators":[]},{"name":"managed_by","type":"text","description":"Contains ID of the resource that manages this resource group.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the resource group.","operators":["="]},{"name":"provisioning_state","type":"text","description":"Current state of the resource group.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource group.","operators":[]}],"description":"Azure Resource Group","queriesCount":0,"examplesCount":2,"readme":"$97"},{"name":"azure_resource_link","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The fully qualified ID of the resource link.","operators":["="]},{"name":"name","type":"text","description":"The name of the resource link.","operators":[]},{"name":"notes","type":"text","description":"Notes about the resource link.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"source_id","type":"text","description":"The fully qualified ID of the source resource in the link.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"target_id","type":"text","description":"The fully qualified ID of the target resource in the link.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource link type.","operators":[]}],"description":"Azure Resource Link","queriesCount":1,"examplesCount":1,"readme":"$98"},{"name":"azure_role_assignment","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_on","type":"timestamp with time zone","description":"Time it was created.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a role assignment uniquely.","operators":["="]},{"name":"name","type":"text","description":"The friendly name that identifies the role assignment.","operators":[]},{"name":"principal_id","type":"text","description":"Contains the principal id.","operators":[]},{"name":"principal_type","type":"text","description":"Principal type of the assigned principal ID.","operators":[]},{"name":"role_definition_id","type":"text","description":"Name of the assigned role definition.","operators":[]},{"name":"scope","type":"text","description":"Current state of the role assignment.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Contains the resource type.","operators":[]},{"name":"updated_on","type":"timestamp with time zone","description":"Time it was updated.","operators":[]}],"description":"Azure Role Assignment","queriesCount":9,"examplesCount":5,"readme":"$99"},{"name":"azure_role_definition","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"assignable_scopes","type":"jsonb","description":"A list of assignable scopes for which the role definition can be assigned.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"description","type":"text","description":"Description of the role definition.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a role definition uniquely.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the role definition.","operators":["="]},{"name":"permissions","type":"jsonb","description":"A list of actions, which can be accessed.","operators":[]},{"name":"role_name","type":"text","description":"Current state of the role definition.","operators":[]},{"name":"role_type","type":"text","description":"Name of the role definition.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Contains the resource type.","operators":[]}],"description":"Azure Role Definition","queriesCount":12,"examplesCount":5,"readme":"$9a"},{"name":"azure_route_table","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"disable_bgp_route_propagation","type":"boolean","description":"Indicates Whether to disable the routes learned by BGP on that route table. True means disable.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a route table uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the route table","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the route table resource","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"routes","type":"jsonb","description":"A list of routes contained within a route table","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnets","type":"jsonb","description":"A list of references to subnets","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Route Table","queriesCount":0,"examplesCount":3,"readme":"$9b"},{"name":"azure_search_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the search service.","operators":[]},{"name":"hosting_mode","type":"text","description":"Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. Possible values include: 'Default', 'HighDensity'.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the resource.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_rule_set","type":"jsonb","description":"Network specific rules that determine how the azure cognitive search service may be reached.","operators":[]},{"name":"partition_count","type":"bigint","description":"The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"The list of private endpoint connections to the azure cognitive search service.","operators":[]},{"name":"provisioning_state","type":"text","description":"The state of the last provisioning operation performed on the search service.","operators":[]},{"name":"public_network_access","type":"text","description":"This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. Possible values include: 'Enabled', 'Disabled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"replica_count","type":"bigint","description":"The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"shared_private_link_resources","type":"jsonb","description":"The list of shared private link resources managed by the azure cognitive search service.","operators":[]},{"name":"sku_name","type":"text","description":"The SKU of the Search Service, which determines price tier and capacity limits. This property is required when creating a new search service.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"The status of the search service. Possible values include: 'running', deleting', 'provisioning', 'degraded', 'disabled', 'error' etc.","operators":[]},{"name":"status_details","type":"text","description":"The details of the search service status.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Search Service","queriesCount":6,"examplesCount":1,"readme":"$9c"},{"name":"azure_security_center_auto_provisioning","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"auto_provision","type":"text","description":"Describes what kind of security agent provisioning action to take. Possible values include: On, Off","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Security Center Auto Provisioning","queriesCount":1,"examplesCount":1,"readme":"$9d"},{"name":"azure_security_center_automation","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"actions","type":"jsonb","description":"A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"description","type":"text","description":"The security automation description.","operators":[]},{"name":"etag","type":"text","description":"Entity tag is used for comparing two or more entities from the same requested resource.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"is_enabled","type":"boolean","description":"Indicates whether the security automation is enabled.","operators":[]},{"name":"kind","type":"text","description":"Kind of the resource.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"scopes","type":"jsonb","description":"A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes.","operators":[]},{"name":"sources","type":"jsonb","description":"A collection of the source event types which evaluate the security automation set of rules.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A list of key value pairs that describe the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Security Center Automation","queriesCount":0,"examplesCount":2,"readme":"$9e"},{"name":"azure_security_center_contact","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"alert_notifications","type":"text","description":"Whether to send security alerts notifications to the security contact.","operators":[]},{"name":"alerts_to_admins","type":"text","description":"Whether to send security alerts notifications to subscription admins.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"email","type":"text","description":"The email of this security contact.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"phone","type":"text","description":"The phone number of this security contact.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Security Center Contact","queriesCount":4,"examplesCount":1,"readme":"$9f"},{"name":"azure_security_center_jit_network_access_policy","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"kind","type":"text","description":"Kind of the resource.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the Just-in-Time policy.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]},{"name":"virtual_machines","type":"jsonb","description":"Configurations for Microsoft.Compute/virtualMachines resource type.","operators":[]}],"description":"Azure Security Center JIT Network Access Policy","queriesCount":1,"examplesCount":1,"readme":"$a0"},{"name":"azure_security_center_setting","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enabled","type":"boolean","description":"Check if the setting is enabled.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"kind","type":"text","description":"The kind of the setting.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Security Center Setting","queriesCount":2,"examplesCount":1,"readme":"$a1"},{"name":"azure_security_center_sub_assessment","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"assessed_resource_type","type":"text","description":"Details of the sub-assessment.","operators":[]},{"name":"assessment_name","type":"text","description":"The assessment name.","operators":[]},{"name":"category","type":"text","description":"Category of the sub-assessment.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"container_registry_vulnerability_properties","type":"jsonb","description":"ContainerRegistryVulnerabilityProperties details of the resource that was assessed.","operators":[]},{"name":"description","type":"text","description":"Human readable description of the assessment status.","operators":[]},{"name":"display_name","type":"text","description":"User friendly display name of the sub-assessment.","operators":[]},{"name":"id","type":"text","description":"The resource id.","operators":[]},{"name":"impact","type":"text","description":"Description of the impact of this sub-assessment.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":[]},{"name":"remediation","type":"text","description":"Information on how to remediate this sub-assessment.","operators":[]},{"name":"resource_details","type":"jsonb","description":"Details of the resource that was assessed.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":[]},{"name":"server_vulnerability_properties","type":"jsonb","description":"ServerVulnerabilityProperties details of the resource that was assessed.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"sql_server_vulnerability_properties","type":"jsonb","description":"SQLServerVulnerabilityProperties details of the resource that was assessed.","operators":[]},{"name":"status","type":"jsonb","description":"The status of the sub-assessment.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"time_generated","type":"text","description":"The date and time the sub-assessment was generated.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Security Center Sub Assessment","queriesCount":1,"examplesCount":4,"readme":"$a2"},{"name":"azure_security_center_subscription_pricing","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"free_trial_remaining_time","type":"text","description":"The duration left for the subscriptions free trial period.","operators":[]},{"name":"id","type":"text","description":"The pricing id.","operators":[]},{"name":"name","type":"text","description":"Name of the pricing.","operators":["="]},{"name":"pricing_tier","type":"text","description":"The pricing tier value. Azure Security Center is provided in two pricing tiers: free and standard, with the standard tier available with a trial period. The standard tier offers advanced security capabilities, while the free tier offers basic security features.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the pricing.","operators":[]}],"description":"Azure Security Center Subscription Pricing","queriesCount":15,"examplesCount":1,"readme":"$a3"},{"name":"azure_service_fabric_cluster","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"add_on_features","type":"jsonb","description":"The list of add-on features to enable in the cluster.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"available_cluster_versions","type":"jsonb","description":"The service fabric runtime versions available for this cluster.","operators":[]},{"name":"azure_active_directory","type":"jsonb","description":"The azure active directory authentication settings of the cluster.","operators":[]},{"name":"certificate","type":"jsonb","description":"The certificate to use for securing the cluster. The certificate provided will be used for node to node security within the cluster, SSL certificate for cluster management endpoint and default admin client.","operators":[]},{"name":"certificate_common_names","type":"jsonb","description":"Describes a list of server certificates referenced by common name that are used to secure the cluster.","operators":[]},{"name":"client_certificate_common_names","type":"jsonb","description":"The list of client certificates referenced by common name that are allowed to manage the cluster.","operators":[]},{"name":"client_certificate_thumbprints","type":"jsonb","description":"The list of client certificates referenced by thumbprint that are allowed to manage the cluster.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cluster_code_version","type":"text","description":"The service fabric runtime version of the cluster. This property can only by set the user when **upgradeMode** is set to 'Manual'.","operators":[]},{"name":"cluster_endpoint","type":"text","description":"The azure resource provider endpoint. A system service in the cluster connects to this endpoint.","operators":[]},{"name":"cluster_id","type":"text","description":"A service generated unique identifier for the cluster resource.","operators":[]},{"name":"cluster_state","type":"text","description":"The current state of the cluster. Possible values include: 'WaitingForNodes', 'Deploying', 'BaselineUpgrade', 'UpdatingUserConfiguration', 'UpdatingUserCertificate', 'UpdatingInfrastructure', 'EnforcingClusterVersion', 'UpgradeServiceUnreachable', 'AutoScale', 'Ready'.","operators":[]},{"name":"diagnostics_storage_account_config","type":"jsonb","description":"The storage account information for storing service fabric diagnostic logs.","operators":[]},{"name":"etag","type":"text","description":"Azure resource etag.","operators":[]},{"name":"event_store_service_enabled","type":"boolean","description":"Indicates if the event store service is enabled.","operators":[]},{"name":"fabric_settings","type":"jsonb","description":"The list of custom fabric settings to configure the cluster.","operators":[]},{"name":"id","type":"text","description":"Azure resource identifier.","operators":[]},{"name":"management_endpoint","type":"text","description":"The http management endpoint of the cluster.","operators":[]},{"name":"name","type":"text","description":"Azure resource name.","operators":["="]},{"name":"node_types","type":"jsonb","description":"The list of node types in the cluster.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the cluster resource. Possible values include: 'Updating', 'Succeeded', 'Failed', 'Canceled'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"reliability_level","type":"text","description":"The reliability level sets the replica set size of system services. Possible values include: 'None', 'Bronze', 'Silver', 'Gold', 'Platinum'.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"reverse_proxy_certificate","type":"jsonb","description":"The server certificate used by reverse proxy.","operators":[]},{"name":"reverse_proxy_certificate_common_names","type":"jsonb","description":"Describes a list of server certificates referenced by common name that are used to secure the cluster.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Azure resource type.","operators":[]},{"name":"upgrade_description","type":"jsonb","description":"The policy to use when upgrading the cluster.","operators":[]},{"name":"upgrade_mode","type":"text","description":"The upgrade mode of the cluster when new service fabric runtime version is available. Possible values include: 'Automatic', 'Manual'.","operators":[]},{"name":"vm_image","type":"text","description":"The VM image VMSS has been configured with. Generic names such as Windows or Linux can be used.","operators":[]}],"description":"Azure Service Fabric Cluster","queriesCount":2,"examplesCount":4,"readme":"$a4"},{"name":"azure_servicebus_namespace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authorization_rules","type":"jsonb","description":"The authorization rules for a namespace.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"created_at","type":"timestamp with time zone","description":"The time the namespace was created.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the servicebus namespace.","operators":[]},{"name":"disable_local_auth","type":"boolean","description":"This property disables SAS authentication for the Service Bus namespace.","operators":[]},{"name":"encryption","type":"jsonb","description":"Specifies the properties of BYOK encryption configuration. Customer-managed key encryption at rest (Bring Your Own Key) is only available on Premium namespaces.","operators":[]},{"name":"id","type":"text","description":"The unique id identifying the resource in subscription.","operators":[]},{"name":"metric_id","type":"text","description":"The identifier for Azure insights metrics.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_rule_set","type":"jsonb","description":"Describes the network rule set for specified namespace. The ServiceBus Namespace must be Premium in order to attach a ServiceBus Namespace Network Rule Set.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"The private endpoint connections of the namespace.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the namespace.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"servicebus_endpoint","type":"text","description":"Specifies the endpoint used to perform Service Bus operations.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"The specified messaging units for the tier. For Premium tier, capacity are 1,2 and 4.","operators":[]},{"name":"sku_name","type":"text","description":"Name of this SKU. Valid valuer are: 'Basic', 'Standard', 'Premium'.","operators":[]},{"name":"sku_tier","type":"text","description":"The billing tier of this particular SKU. Valid values are: 'Basic', 'Standard', 'Premium'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"Status of the namespace.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"updated_at","type":"timestamp with time zone","description":"The time the namespace was updated.","operators":[]},{"name":"zone_redundant","type":"boolean","description":"Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones.","operators":[]}],"description":"Azure ServiceBus Namespace","queriesCount":6,"examplesCount":6,"readme":"$a5"},{"name":"azure_signalr_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cors","type":"jsonb","description":"Cross-Origin Resource Sharing (CORS) settings of the resource.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the SignalR service.","operators":[]},{"name":"external_ip","type":"text","description":"The publicly accessible IP of the SignalR service.","operators":[]},{"name":"features","type":"jsonb","description":"List of SignalR feature flags.","operators":[]},{"name":"host_name","type":"text","description":"FQDN of the SignalR service instance.","operators":[]},{"name":"host_name_prefix","type":"text","description":"Prefix for the host name of the SignalR service.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"kind","type":"text","description":"The kind of the service. Possible values include: 'SignalR', 'RawWebSockets'.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_acls","type":"jsonb","description":"Network ACLs of the resource.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"Private endpoint connections to the SignalR resource.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the resource. Possible values include: 'Unknown', 'Succeeded', 'Failed', 'Canceled', 'Running', 'Creating', 'Updating', 'Deleting', 'Moving'.","operators":[]},{"name":"public_port","type":"bigint","description":"The publicly accessible port of the SignalR service which is designed for browser/client side usage.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_port","type":"bigint","description":"The publicly accessible port of the SignalR service which is designed for customer server side usage.","operators":[]},{"name":"sku","type":"jsonb","description":"The billing information of the resource.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"upstream","type":"jsonb","description":"Upstream settings when the Azure SignalR is in server-less mode.","operators":[]},{"name":"version","type":"text","description":"Version of the SignalR resource.","operators":[]}],"description":"Azure SignalR Service","queriesCount":2,"examplesCount":2,"readme":"$a6"},{"name":"azure_spring_cloud_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the resource.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource Id for the resource.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"network_profile","type":"jsonb","description":"Network profile of the service.","operators":[]},{"name":"provisioning_state","type":"text","description":"Provisioning state of the Service. Possible values include: 'Creating', 'Updating', 'Deleting', 'Deleted', 'Succeeded', 'Failed', 'Moving', 'Moved', 'MoveFailed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"service_id","type":"text","description":"Service instance entity GUID which uniquely identifies a created resource.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"Current capacity of the target resource.","operators":[]},{"name":"sku_name","type":"text","description":"Name of the Sku.","operators":[]},{"name":"sku_tier","type":"text","description":"Tier of the Sku.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"version","type":"bigint","description":"Version of the service.","operators":[]}],"description":"Azure Spring Cloud Service","queriesCount":1,"examplesCount":1,"readme":"$a7"},{"name":"azure_sql_database","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"audit_policy","type":"jsonb","description":"The database blob auditing policy.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"collation","type":"text","description":"The collation of the database.","operators":[]},{"name":"containment_state","type":"bigint","description":"The containment state of the database.","operators":[]},{"name":"create_mode","type":"text","description":"Specifies the mode of database creation.","operators":[]},{"name":"creation_date","type":"timestamp with time zone","description":"The creation date of the database.","operators":[]},{"name":"current_service_objective_id","type":"text","description":"The current service level objective ID of the database.","operators":[]},{"name":"database_id","type":"text","description":"The ID of the database.","operators":[]},{"name":"default_secondary_location","type":"text","description":"The default secondary region for this database.","operators":[]},{"name":"earliest_restore_date","type":"timestamp with time zone","description":"This records the earliest start date and time that restore is available for this database.","operators":[]},{"name":"edition","type":"text","description":"The edition of the database.","operators":[]},{"name":"elastic_pool_name","type":"text","description":"The name of the elastic pool the database is in.","operators":[]},{"name":"failover_group_id","type":"text","description":"The resource identifier of the failover group containing this database.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a database uniquely.","operators":[]},{"name":"kind","type":"text","description":"Kind of the database.","operators":[]},{"name":"location","type":"text","description":"Location of the database.","operators":[]},{"name":"max_size_bytes","type":"text","description":"The max size of the database expressed in bytes.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the database.","operators":["="]},{"name":"read_scale","type":"text","description":"ReadScale indicates whether read-only connections are allowed to this database or not if the database is a geo-secondary.","operators":[]},{"name":"recommended_index","type":"jsonb","description":"The recommended indices for this database.","operators":[]},{"name":"recovery_services_recovery_point_resource_id","type":"text","description":"Specifies the resource ID of the recovery point to restore from if createMode is RestoreLongTermRetentionBackup.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"requested_service_objective_id","type":"text","description":"The configured service level objective ID of the database.","operators":[]},{"name":"requested_service_objective_name","type":"text","description":"The name of the configured service level objective of the database.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_point_in_time","type":"timestamp with time zone","description":"Specifies the point in time of the source database that will be restored to create the new database.","operators":[]},{"name":"retention_policy_id","type":"text","description":"Retention policy ID.","operators":[]},{"name":"retention_policy_name","type":"text","description":"Retention policy Name.","operators":[]},{"name":"retention_policy_property","type":"jsonb","description":"Long term Retention policy Property.","operators":[]},{"name":"retention_policy_type","type":"text","description":"Long term Retention policy Type.","operators":[]},{"name":"sample_name","type":"jsonb","description":"Indicates the name of the sample schema to apply when creating this database.","operators":[]},{"name":"server_name","type":"text","description":"The name of the parent server of the database.","operators":["="]},{"name":"service_level_objective","type":"jsonb","description":"The current service level objective of the database.","operators":[]},{"name":"service_tier_advisors","type":"jsonb","description":"The list of service tier advisors for this database.","operators":[]},{"name":"source_database_deletion_date","type":"timestamp with time zone","description":"Specifies the time that the database was deleted when createMode is Restore and sourceDatabaseId is the deleted database's original resource id.","operators":[]},{"name":"source_database_id","type":"text","description":"Specifies the resource ID of the source database if createMode is Copy, NonReadableSecondary, OnlineSecondary, PointInTimeRestore, Recovery, or Restore.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status","type":"text","description":"The status of the database.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"transparent_data_encryption","type":"jsonb","description":"The transparent data encryption info for this database.","operators":[]},{"name":"type","type":"text","description":"Type of the database.","operators":[]},{"name":"vulnerability_assessment_scan_records","type":"jsonb","description":"The vulnerability assessment scan records for this database.","operators":[]},{"name":"vulnerability_assessments","type":"jsonb","description":"The vulnerability assessments for this database.","operators":[]},{"name":"zone_redundant","type":"boolean","description":"Indicates if the database is zone redundant or not.","operators":[]}],"description":"Azure SQL Database","queriesCount":4,"examplesCount":2,"readme":"$a8"},{"name":"azure_sql_server","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"administrator_login","type":"text","description":"Specifies the username of the administrator for this server.","operators":[]},{"name":"administrator_login_password","type":"text","description":"The administrator login password.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"encryption_protector","type":"jsonb","description":"The server encryption protector.","operators":[]},{"name":"firewall_rules","type":"jsonb","description":"A list of firewall rules fro this server.","operators":[]},{"name":"fully_qualified_domain_name","type":"text","description":"The fully qualified domain name of the server.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a SQL server uniquely.","operators":[]},{"name":"kind","type":"text","description":"The Kind of sql server.","operators":[]},{"name":"location","type":"text","description":"The resource location.","operators":[]},{"name":"minimal_tls_version","type":"text","description":"Minimal TLS version. Allowed values: '1.0', '1.1', '1.2'.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the SQL server.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"The private endpoint connections of the sql server.","operators":[]},{"name":"public_network_access","type":"text","description":"Whether or not public endpoint access is allowed for this server.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_audit_policy","type":"jsonb","description":"Specifies the audit policy configuration for server.","operators":[]},{"name":"server_azure_ad_administrator","type":"jsonb","description":"Specifies the active directory administrator.","operators":[]},{"name":"server_security_alert_policy","type":"jsonb","description":"Specifies the security alert policy configuration for server.","operators":[]},{"name":"server_vulnerability_assessment","type":"jsonb","description":"Specifies the server's vulnerability assessment.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The state of the server.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tags_src","type":"jsonb","description":"Specifies the set of tags attached to the server.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The resource type of the SQL server.","operators":[]},{"name":"version","type":"text","description":"The version of the server.","operators":[]},{"name":"virtual_network_rules","type":"jsonb","description":"A list of virtual network rules for this server.","operators":[]}],"description":"Azure SQL Server","queriesCount":17,"examplesCount":6,"readme":"$a9"},{"name":"azure_storage_account","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_keys","type":"jsonb","description":"The list of access keys or Kerberos keys (if active directory enabled) for the specified storage account.","operators":[]},{"name":"access_tier","type":"text","description":"The access tier used for billing.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"allow_blob_public_access","type":"boolean","description":"Specifies whether allow or disallow public access to all blobs or containers in the storage account.","operators":[]},{"name":"blob_change_feed_enabled","type":"boolean","description":"Specifies whether change feed event logging is enabled for the Blob service.","operators":[]},{"name":"blob_container_soft_delete_enabled","type":"boolean","description":"Specifies whether DeleteRetentionPolicy is enabled.","operators":[]},{"name":"blob_container_soft_delete_retention_days","type":"bigint","description":"Indicates the number of days that the deleted item should be retained.","operators":[]},{"name":"blob_restore_policy_days","type":"bigint","description":"Specifies how long the blob can be restored.","operators":[]},{"name":"blob_restore_policy_enabled","type":"boolean","description":"Specifies whether blob restore is enabled.","operators":[]},{"name":"blob_service_logging","type":"jsonb","description":"Specifies the blob service properties for logging access.","operators":[]},{"name":"blob_soft_delete_enabled","type":"boolean","description":"Specifies whether DeleteRetentionPolicy is enabled.","operators":[]},{"name":"blob_soft_delete_retention_days","type":"bigint","description":"Indicates the number of days that the deleted item should be retained.","operators":[]},{"name":"blob_versioning_enabled","type":"boolean","description":"Specifies whether versioning is enabled.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"Creation date and time of the storage account.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the storage account.","operators":[]},{"name":"enable_https_traffic_only","type":"boolean","description":"Allows https traffic only to storage service if sets to true.","operators":[]},{"name":"encryption_key_source","type":"text","description":"Contains the encryption keySource (provider).","operators":[]},{"name":"encryption_key_vault_properties_key_current_version_id","type":"text","description":"The object identifier of the current versioned Key Vault Key in use.","operators":[]},{"name":"encryption_key_vault_properties_key_name","type":"text","description":"The name of KeyVault key.","operators":[]},{"name":"encryption_key_vault_properties_key_vault_uri","type":"text","description":"The Uri of KeyVault.","operators":[]},{"name":"encryption_key_vault_properties_key_version","type":"text","description":"The version of KeyVault key.","operators":[]},{"name":"encryption_key_vault_properties_last_rotation_time","type":"timestamp with time zone","description":"Timestamp of last rotation of the Key Vault Key.","operators":[]},{"name":"encryption_scope","type":"jsonb","description":"Encryption scope details for the storage account.","operators":[]},{"name":"encryption_services","type":"jsonb","description":"A list of services which support encryption.","operators":[]},{"name":"failover_in_progress","type":"boolean","description":"Specifies whether the failover is in progress.","operators":[]},{"name":"file_soft_delete_enabled","type":"boolean","description":"Specifies whether DeleteRetentionPolicy is enabled.","operators":[]},{"name":"file_soft_delete_retention_days","type":"bigint","description":"Indicates the number of days that the deleted item should be retained.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a storage account uniquely.","operators":[]},{"name":"is_hns_enabled","type":"boolean","description":"Specifies whether account HierarchicalNamespace is enabled.","operators":[]},{"name":"kind","type":"text","description":"The kind of the resource.","operators":[]},{"name":"lifecycle_management_policy","type":"jsonb","description":"The managementpolicy associated with the specified storage account.","operators":[]},{"name":"minimum_tls_version","type":"text","description":"Contains the minimum TLS version to be permitted on requests to storage.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the storage account.","operators":["="]},{"name":"network_ip_rules","type":"jsonb","description":"A list of IP ACL rules.","operators":[]},{"name":"network_rule_bypass","type":"text","description":"Specifies whether traffic is bypassed for Logging/Metrics/AzureServices.","operators":[]},{"name":"network_rule_default_action","type":"text","description":"Specifies the default action of allow or deny when no other rules match.","operators":[]},{"name":"primary_blob_endpoint","type":"text","description":"Contains the blob endpoint.","operators":[]},{"name":"primary_dfs_endpoint","type":"text","description":"Contains the dfs endpoint.","operators":[]},{"name":"primary_file_endpoint","type":"text","description":"Contains the file endpoint.","operators":[]},{"name":"primary_location","type":"text","description":"Contains the location of the primary data center for the storage account.","operators":[]},{"name":"primary_queue_endpoint","type":"text","description":"Contains the queue endpoint.","operators":[]},{"name":"primary_table_endpoint","type":"text","description":"Contains the table endpoint.","operators":[]},{"name":"primary_web_endpoint","type":"text","description":"Contains the web endpoint.","operators":[]},{"name":"private_endpoint_connections","type":"jsonb","description":"A list of private endpoint connection associated with the specified storage account.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the storage account resource.","operators":[]},{"name":"public_network_access","type":"text","description":"Allow or disallow public network access to Storage Account. Value is optional but if passed in, must be Enabled or Disabled.","operators":[]},{"name":"queue_logging_delete","type":"boolean","description":"Specifies whether all delete requests should be logged.","operators":[]},{"name":"queue_logging_read","type":"boolean","description":"Specifies whether all read requests should be logged.","operators":[]},{"name":"queue_logging_retention_days","type":"bigint","description":"Indicates the number of days that metrics or logging data should be retained.","operators":[]},{"name":"queue_logging_retention_enabled","type":"boolean","description":"Specifies whether a retention policy is enabled for the storage service.","operators":[]},{"name":"queue_logging_version","type":"text","description":"The version of Storage Analytics to configure.","operators":[]},{"name":"queue_logging_write","type":"boolean","description":"Specifies whether all write requests should be logged.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"require_infrastructure_encryption","type":"boolean","description":"Specifies whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"secondary_location","type":"text","description":"Contains the location of the geo-replicated secondary for the storage account.","operators":[]},{"name":"sku_name","type":"text","description":"Contains sku name of the storage account.","operators":[]},{"name":"sku_tier","type":"text","description":"Contains sku tier of the storage account.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"status_of_primary","type":"text","description":"The status indicating whether the primary location of the storage account is available or unavailable. Possible values include: 'available', 'unavailable'.","operators":[]},{"name":"status_of_secondary","type":"text","description":"The status indicating whether the secondary location of the storage account is available or unavailable. Only available if the SKU name is Standard_GRS or Standard_RAGRS. Possible values include: 'available', 'unavailable'.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"table_logging_delete","type":"boolean","description":"Indicates whether all delete requests should be logged.","operators":[]},{"name":"table_logging_read","type":"boolean","description":"Indicates whether all read requests should be logged.","operators":[]},{"name":"table_logging_retention_policy","type":"jsonb","description":"The retention policy.","operators":[]},{"name":"table_logging_version","type":"text","description":"The version of Analytics to configure.","operators":[]},{"name":"table_logging_write","type":"boolean","description":"Indicates whether all write requests should be logged.","operators":[]},{"name":"table_properties","type":"jsonb","description":"Azure Analytics Logging settings of tables.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"virtual_network_rules","type":"jsonb","description":"A list of virtual network rules.","operators":[]}],"description":"Azure Storage Account","queriesCount":24,"examplesCount":10,"readme":"$aa"},{"name":"azure_storage_blob","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_tier","type":"text","description":"The tier of the blob.","operators":[]},{"name":"access_tier_change_time","type":"timestamp with time zone","description":"Species the time, when the access tier has been updated.","operators":[]},{"name":"access_tier_inferred","type":"boolean","description":"Indicates whether the access tier was inferred by the service.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"archive_status","type":"text","description":"Specifies the archive status of the blob.","operators":[]},{"name":"blob_sequence_number","type":"bigint","description":"Specifies the sequence number for page blob used for coordinating concurrent writes.","operators":[]},{"name":"blob_tag_set","type":"jsonb","description":"A list of blob tags.","operators":[]},{"name":"cache_control","type":"text","description":"Indicates the cache control specified for the blob.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"container_name","type":"text","description":"The friendly name that identifies the container, in which the blob has been uploaded.","operators":[]},{"name":"content_disposition","type":"text","description":"Specifies additional information about how to process the response payload, and also can be used to attach additional metadata.","operators":[]},{"name":"content_encoding","type":"text","description":"Indicates content encoding specified for the blob.","operators":[]},{"name":"content_language","type":"text","description":"Indicates content language specified for the blob.","operators":[]},{"name":"content_length","type":"bigint","description":"Specifies the size of the content returned.","operators":[]},{"name":"content_md5","type":"jsonb","description":"If the content_md5 has been set for the blob, this response header is stored so that the client can check for message content integrity.","operators":[]},{"name":"content_type","type":"text","description":"Specifies the content type specified for the blob. If no content type was specified, the default content type is application/octet-stream.","operators":[]},{"name":"copy_completion_time","type":"timestamp with time zone","description":"Conclusion time of the last attempted Copy Blob operation where this blob was the destination blob.","operators":[]},{"name":"copy_id","type":"text","description":"A String identifier for the last attempted Copy Blob operation where this blob was the destination blob.","operators":[]},{"name":"copy_progress","type":"text","description":"Contains the number of bytes copied and the total bytes in the source in the last attempted Copy Blob operation where this blob was the destination blob.","operators":[]},{"name":"copy_source","type":"text","description":"An URL up to 2 KB in length that specifies the source blob used in the last attempted Copy Blob operation where this blob was the destination blob.","operators":[]},{"name":"copy_status","type":"text","description":"Specifies the state of the copy operation identified by Copy ID.","operators":[]},{"name":"copy_status_description","type":"text","description":"Describes cause of fatal or non-fatal copy operation failure.","operators":[]},{"name":"creation_time","type":"timestamp with time zone","description":"Indicates the time, when the blob was uploaded.","operators":[]},{"name":"deleted","type":"boolean","description":"Specifies whether the blob was deleted, or not.","operators":[]},{"name":"deleted_time","type":"timestamp with time zone","description":"Specifies the deletion time of blob container.","operators":[]},{"name":"destination_snapshot","type":"text","description":"Included if the blob is incremental copy blob or incremental copy snapshot, if x-ms-copy-status is success. Snapshot time of the last successful incremental copy snapshot for this blob.","operators":[]},{"name":"encryption_key_sha256","type":"text","description":"The SHA-256 hash of the provided encryption key.","operators":[]},{"name":"encryption_scope","type":"text","description":"The name of the encryption scope under which the blob is encrypted.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"incremental_copy","type":"boolean","description":"Copies the snapshot of the source page blob to a destination page blob. The snapshot is copied such that only the differential changes between the previously copied snapshot are transferred to the destination.","operators":[]},{"name":"is_current_version","type":"boolean","description":"Specifies whether the blob container was deleted, or not.","operators":[]},{"name":"is_sealed","type":"boolean","description":"Indicate if the append blob is sealed or not.","operators":[]},{"name":"is_snapshot","type":"boolean","description":"Specifies whether the resource is snapshot of a blob, or not.","operators":[]},{"name":"last_modified","type":"timestamp with time zone","description":"Specifies the date and time the container was last modified.","operators":[]},{"name":"lease_duration","type":"text","description":"Specifies whether the lease is of infinite or fixed duration, when a blob is leased.","operators":[]},{"name":"lease_state","type":"text","description":"Specifies lease state of the blob.","operators":[]},{"name":"lease_status","type":"text","description":"Specifies the lease status of the blob.","operators":[]},{"name":"metadata","type":"jsonb","description":"A name-value pair to associate with the container as metadata.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the blob.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"remaining_retention_days","type":"bigint","description":"The number of days that the blob will be retained before being permanently deleted by the service.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"server_encrypted","type":"boolean","description":"Indicates whether the blob is encrypted on the server, or not.","operators":[]},{"name":"snapshot","type":"text","description":"Specifies the time, when the snapshot is taken.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"The friendly name that identifies the storage account, in which the blob is located.","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Specifies the type of the blob.","operators":[]},{"name":"version_id","type":"text","description":"Specifies the version id.","operators":[]}],"description":"Azure Storage Blob","queriesCount":0,"examplesCount":1,"readme":"$ab"},{"name":"azure_storage_blob_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"automatic_snapshot_policy_enabled","type":"boolean","description":"Specifies whether automatic snapshot creation is enabled, or not","operators":[]},{"name":"change_feed_enabled","type":"boolean","description":"Specifies whether change feed event logging is enabled for the Blob service","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"container_delete_retention_policy","type":"jsonb","description":"The blob service properties for container soft delete","operators":[]},{"name":"cors_rules","type":"jsonb","description":"A list of CORS rules for a storage account’s Blob service","operators":[]},{"name":"default_service_version","type":"text","description":"Indicates the default version to use for requests to the Blob service if an incoming request’s version is not specified","operators":[]},{"name":"delete_retention_policy","type":"jsonb","description":"The blob service properties for blob soft delete","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a blob uniquely","operators":[]},{"name":"is_versioning_enabled","type":"boolean","description":"Specifies whether the versioning is enabled, or not","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the blob","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"restore_policy","type":"jsonb","description":"The blob service properties for blob restore policy","operators":[]},{"name":"sku_name","type":"text","description":"The sku name","operators":[]},{"name":"sku_tier","type":"text","description":"Contains the sku tier","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"A unique read-only string that changes whenever the resource is updated","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Storage Blob Service","queriesCount":0,"examplesCount":3,"readme":"$ac"},{"name":"azure_storage_container","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"account_name","type":"text","description":"The friendly name that identifies the storage account.","operators":["="]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"default_encryption_scope","type":"text","description":"Default the container to use specified encryption scope for all writes.","operators":[]},{"name":"deleted","type":"boolean","description":"Indicates whether the blob container was deleted.","operators":[]},{"name":"deleted_time","type":"timestamp with time zone","description":"Specifies the time when the container was deleted.","operators":[]},{"name":"deny_encryption_scope_override","type":"boolean","description":"Indicates whether block override of encryption scope from the container default, or not.","operators":[]},{"name":"has_immutability_policy","type":"boolean","description":"The hasImmutabilityPolicy public property is set to true by SRP if ImmutabilityPolicy has been created for this container. The hasImmutabilityPolicy public property is set to false by SRP if ImmutabilityPolicy has not been created for this container.","operators":[]},{"name":"has_legal_hold","type":"boolean","description":"The hasLegalHold public property is set to true by SRP if there are at least one existing tag. The hasLegalHold public property is set to false by SRP if all existing legal hold tags are cleared out. There can be a maximum of 1000 blob containers with hasLegalHold=true for a given account.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a container uniquely.","operators":[]},{"name":"immutability_policy","type":"jsonb","description":"The ImmutabilityPolicy property of the container.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"Specifies the date and time the container was last modified.","operators":[]},{"name":"lease_duration","type":"text","description":"Specifies whether the lease on a container is of infinite or fixed duration, only when the container is leased. Possible values are: 'Infinite', 'Fixed'.","operators":[]},{"name":"lease_state","type":"text","description":"Specifies the lease state of the container.","operators":[]},{"name":"lease_status","type":"text","description":"Specifies the lease status of the container.","operators":[]},{"name":"legal_hold","type":"jsonb","description":"The LegalHold property of the container.","operators":[]},{"name":"metadata","type":"jsonb","description":"A name-value pair to associate with the container as metadata.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the container.","operators":["="]},{"name":"public_access","type":"text","description":"Specifies whether data in the container may be accessed publicly and the level of access.","operators":[]},{"name":"remaining_retention_days","type":"bigint","description":"Remaining retention days for soft deleted blob container.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Specifies the type of the container.","operators":[]},{"name":"version","type":"text","description":"The version of the deleted blob container.","operators":[]}],"description":"Azure Storage Container","queriesCount":5,"examplesCount":6,"readme":"$ad"},{"name":"azure_storage_queue","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a queue uniquely.","operators":[]},{"name":"metadata","type":"jsonb","description":"A name-value pair that represents queue metadata.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the queue.","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]}],"description":"Azure Storage Queue","queriesCount":0,"examplesCount":2,"readme":"$ae"},{"name":"azure_storage_share_file","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"access_tier","type":"text","description":"Access tier for specific share. GpV2 account can choose between TransactionOptimized (default), Hot, and Cool.","operators":[]},{"name":"access_tier_change_time","type":"timestamp with time zone","description":"Indicates the last modification time for share access tier.","operators":[]},{"name":"access_tier_status","type":"text","description":"Indicates if there is a pending transition for access tier.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"deleted","type":"boolean","description":"Indicates whether the share was deleted.","operators":[]},{"name":"deleted_time","type":"timestamp with time zone","description":"The deleted time if the share was deleted.","operators":[]},{"name":"enabled_protocols","type":"text","description":"The authentication protocol that is used for the file share. Can only be specified when creating a share. Possible values include: 'SMB', 'NFS'.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"last_modified_time","type":"timestamp with time zone","description":"Returns the date and time the share was last modified.","operators":[]},{"name":"metadata","type":"jsonb","description":"A name-value pair to associate with the share as metadata.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"remaining_retention_days","type":"bigint","description":"Remaining retention days for share that was soft deleted.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"root_squash","type":"text","description":"The property is for NFS share only. The default is NoRootSquash. Possible values include: 'NoRootSquash', 'RootSquash', 'AllSquash'.","operators":[]},{"name":"share_quota","type":"bigint","description":"The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5TB (5120). For Large File Shares, the maximum size is 102400.","operators":[]},{"name":"share_usage_bytes","type":"bigint","description":"The approximate size of the data stored on the share. Note that this value may not include all recently created or recently resized files.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"The name of the storage account.","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"version","type":"text","description":"The version of the share.","operators":[]}],"description":"Azure Storage Share File","queriesCount":0,"examplesCount":2,"readme":"$af"},{"name":"azure_storage_sync","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource id for the resource.","operators":[]},{"name":"incoming_traffic_policy","type":"text","description":"The incoming traffic policy of the storage sync service. Possible values include: 'AllowAllTraffic', 'AllowVirtualNetworksOnly'.","operators":[]},{"name":"last_operation_name","type":"text","description":"The last operation name of the storage sync service.","operators":[]},{"name":"last_workflow_id","type":"text","description":"The last workflow id of the storage sync service.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"List of private endpoint connection associated with the specified storage sync service.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the storage sync service.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_sync_service_status","type":"bigint","description":"The status of the storage sync service.","operators":[]},{"name":"storage_sync_service_uid","type":"text","description":"The uid of the storage sync service.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]}],"description":"Azure Storage Sync","queriesCount":1,"examplesCount":2,"readme":"$b0"},{"name":"azure_storage_table","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a table service uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the table service","operators":["="]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Storage Table","queriesCount":0,"examplesCount":0,"readme":"$b1"},{"name":"azure_storage_table_service","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"cors_rules","type":"jsonb","description":"A list of CORS rules","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a table service uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the table service","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"storage_account_name","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":["="]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Storage Table Service","queriesCount":0,"examplesCount":1,"readme":"$b2"},{"name":"azure_stream_analytics_job","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"compatibility_level","type":"text","description":"Controls certain runtime behaviors of the streaming job.","operators":[]},{"name":"created_date","type":"timestamp with time zone","description":"Specifies the time when the stream analytics job was created.","operators":[]},{"name":"data_locale","type":"text","description":"The data locale of the stream analytics job.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the streaming job.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"events_late_arrival_max_delay_in_seconds","type":"bigint","description":"The maximum tolerable delay in seconds where events arriving late could be included.","operators":[]},{"name":"events_out_of_order_max_delay_in_seconds","type":"bigint","description":"The maximum tolerable delay in seconds where out-of-order events can be adjusted to be back in order.","operators":[]},{"name":"events_out_of_order_policy","type":"text","description":"Indicates the policy to apply to events that arrive out of order in the input event stream.","operators":[]},{"name":"functions","type":"jsonb","description":"A list of one or more functions for the streaming job.","operators":[]},{"name":"id","type":"text","description":"The resource identifier.","operators":[]},{"name":"inputs","type":"jsonb","description":"A list of one or more inputs to the streaming job.","operators":[]},{"name":"job_id","type":"text","description":"A GUID uniquely identifying the streaming job.","operators":[]},{"name":"job_state","type":"text","description":"Describes the state of the streaming job.","operators":[]},{"name":"last_output_event_time","type":"timestamp with time zone","description":"Indicating the last output event time of the streaming job or null indicating that output has not yet been produced.","operators":[]},{"name":"name","type":"text","description":"The resource name.","operators":["="]},{"name":"output_error_policy","type":"text","description":"Indicates the policy to apply to events that arrive at the output and cannot be written to the external storage due to being malformed (missing column values, column values of wrong type or size).","operators":[]},{"name":"output_start_mode","type":"text","description":"This property should only be utilized when it is desired that the job be started immediately upon creation.","operators":[]},{"name":"output_start_time","type":"timestamp with time zone","description":"Indicates the starting point of the output event stream, or null to indicate that the output event stream will start whenever the streaming job is started.","operators":[]},{"name":"outputs","type":"jsonb","description":"A list of one or more outputs for the streaming job.","operators":[]},{"name":"provisioning_state","type":"text","description":"Describes the provisioning status of the streaming job.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sku_name","type":"text","description":"Describes the sku name of the streaming job.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"transformation","type":"jsonb","description":"Indicates the query and the number of streaming units to use for the streaming job.","operators":[]},{"name":"type","type":"text","description":"The resource type.","operators":[]}],"description":"Azure Stream Analytics Job","queriesCount":1,"examplesCount":1,"readme":"$b3"},{"name":"azure_subnet","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"address_prefix","type":"text","description":"Contains the address prefix for the subnet.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"delegations","type":"jsonb","description":"A list of references to the delegations on the subnet.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a subnet uniquely.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"IP Configuration details in a subnet.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the subnet.","operators":["="]},{"name":"nat_gateway_id","type":"text","description":"The ID of the Nat gateway associated with the subnet.","operators":[]},{"name":"network_security_group_id","type":"text","description":"Network security group associated with the subnet.","operators":[]},{"name":"private_endpoint_network_policies","type":"text","description":"Enable or Disable apply network policies on private end point in the subnet.","operators":[]},{"name":"private_link_service_network_policies","type":"text","description":"Enable or Disable apply network policies on private link service in the subnet.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the subnet resource.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"route_table_id","type":"text","description":"Route table associated with the subnet.","operators":[]},{"name":"service_endpoint_policies","type":"jsonb","description":"A list of service endpoint policies.","operators":[]},{"name":"service_endpoints","type":"jsonb","description":"A list of service endpoints.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"virtual_network_name","type":"text","description":"The friendly name of the virtual network in which the subnet is created.","operators":["="]}],"description":"Azure Subnet","queriesCount":3,"examplesCount":4,"readme":"$b4"},{"name":"azure_subscription","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"authorization_source","type":"text","description":"The authorization source of the request. Valid values are one or more combinations of Legacy, RoleBased, Bypassed, Direct and Management. For example, 'Legacy, RoleBased'.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"display_name","type":"text","description":"A friendly name that identifies a subscription.","operators":[]},{"name":"id","type":"text","description":"The fully qualified ID for the subscription. For example, /subscriptions/00000000-0000-0000-0000-000000000000.","operators":[]},{"name":"managed_by_tenants","type":"jsonb","description":"An array containing the tenants managing the subscription.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"state","type":"text","description":"The subscription state. Possible values are Enabled, Warned, PastDue, Disabled, and Deleted. Possible values include: 'StateEnabled', 'StateWarned', 'StatePastDue', 'StateDisabled', 'StateDeleted'","operators":[]},{"name":"subscription_id","type":"text","description":"The subscription ID.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"subscription_policies","type":"jsonb","description":"The subscription policies.","operators":[]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"tenant_id","type":"text","description":"The subscription tenant ID.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Subscription","queriesCount":413,"examplesCount":0,"readme":"$b5"},{"name":"azure_synapse_workspace","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"adla_resource_id","type":"text","description":"The ADLA resource ID.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"connectivity_endpoints","type":"jsonb","description":"Connectivity endpoints of the resource.","operators":[]},{"name":"default_data_lake_storage","type":"jsonb","description":"Workspace default data lake storage account details.","operators":[]},{"name":"diagnostic_settings","type":"jsonb","description":"A list of active diagnostic settings for the resource.","operators":[]},{"name":"encryption","type":"jsonb","description":"The encryption details of the workspace.","operators":[]},{"name":"extra_properties","type":"jsonb","description":"Workspace level configs and feature flags.","operators":[]},{"name":"id","type":"text","description":"Fully qualified resource ID for the resource.","operators":[]},{"name":"identity","type":"jsonb","description":"The identity of the workspace.","operators":[]},{"name":"managed_resource_group_name","type":"text","description":"The managed resource group of the resource.","operators":[]},{"name":"managed_virtual_network","type":"text","description":"A managed virtual network for the workspace.","operators":[]},{"name":"managed_virtual_network_settings","type":"jsonb","description":"Managed virtual network settings of the workspace.","operators":[]},{"name":"name","type":"text","description":"The name of the resource.","operators":["="]},{"name":"private_endpoint_connections","type":"jsonb","description":"Private endpoint connections to the workspace.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the resource.","operators":[]},{"name":"public_network_access","type":"text","description":"Pubic network access to workspace.","operators":[]},{"name":"purview_configuration","type":"jsonb","description":"Purview configuration of the workspace.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"sql_administrator_login","type":"text","description":"Login for workspace SQL active directory administrator.","operators":[]},{"name":"sql_administrator_login_password","type":"text","description":"The SQL administrator login password of the resource.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"The type of the resource.","operators":[]},{"name":"virtual_network_profile","type":"jsonb","description":"Virtual network profile of the resource.","operators":[]},{"name":"workspace_managed_sql_server_vulnerability_assessments","type":"jsonb","description":"The vulnerability assessments details of the workspace.","operators":[]},{"name":"workspace_repository_configuration","type":"jsonb","description":"Git integration settings of the workspace.","operators":[]},{"name":"workspace_uid","type":"jsonb","description":"The unique identifier of the workspace.","operators":[]}],"description":"Azure Synapse Workspace","queriesCount":4,"examplesCount":4,"readme":"$b6"},{"name":"azure_tenant","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"country","type":"text","description":"Country/region name of the address for the tenant.","operators":[]},{"name":"country_code","type":"text","description":"Country/region abbreviation for the tenant.","operators":[]},{"name":"display_name","type":"text","description":"The list of domains for the tenant.","operators":[]},{"name":"domains","type":"jsonb","description":"The list of domains for the tenant.","operators":[]},{"name":"id","type":"text","description":"The fully qualified ID of the tenant. For example, /tenants/00000000-0000-0000-0000-000000000000.","operators":[]},{"name":"name","type":"text","description":"The display name of the tenant.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tenant_category","type":"text","description":"The tenant category. Possible values include: 'Home', 'ProjectedBy', 'ManagedBy'.","operators":[]},{"name":"tenant_id","type":"text","description":"The tenant ID. For example, 00000000-0000-0000-0000-000000000000.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]}],"description":"Azure Tenant","queriesCount":12,"examplesCount":0,"readme":"$b7"},{"name":"azure_virtual_network","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"address_prefixes","type":"jsonb","description":"A list of address blocks reserved for this virtual network in CIDR notation","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"enable_ddos_protection","type":"boolean","description":"Indicates if DDoS protection is enabled for all the protected resources in the virtual network","operators":[]},{"name":"enable_vm_protection","type":"boolean","description":"Indicates if VM protection is enabled for all the subnets in the virtual network","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a virtual network uniquely","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the virtual network","operators":["="]},{"name":"network_peerings","type":"jsonb","description":"A list of peerings in a Virtual Network","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the virtual network resource","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resourceGuid property of the Virtual Network resource","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subnets","type":"jsonb","description":"A list of subnets in a Virtual Network","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource","operators":[]}],"description":"Azure Virtual Network","queriesCount":3,"examplesCount":4,"readme":"$b8"},{"name":"azure_virtual_network_gateway","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"active_active","type":"boolean","description":"Indicates whether virtual network gateway configured with active-active mode, or not. If true, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"bgp_settings","type":"jsonb","description":"Virtual network gateway's BGP speaker settings.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"custom_routes_address_prefixes","type":"jsonb","description":"A list of address blocks reserved for this virtual network in CIDR notation.","operators":[]},{"name":"enable_bgp","type":"boolean","description":"Indicates whether BGP is enabled for this virtual network gateway, or not.","operators":[]},{"name":"enable_dns_forwarding","type":"boolean","description":"Indicates whether DNS forwarding is enabled, or not.","operators":[]},{"name":"enable_private_ip_address","type":"boolean","description":"Indicates whether private IP needs to be enabled on this gateway for connections or not.","operators":[]},{"name":"etag","type":"text","description":"An unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"gateway_connections","type":"jsonb","description":"A list of virtual network gateway connection resources that exists in a resource group.","operators":[]},{"name":"gateway_default_site","type":"text","description":"The reference to the LocalNetworkGateway resource, which represents local network site having default routes. Assign Null value in case of removing existing default site setting.","operators":[]},{"name":"gateway_type","type":"text","description":"The type of this virtual network gateway. Possible values include: 'Vpn', 'ExpressRoute'.","operators":[]},{"name":"id","type":"text","description":"Contains ID to identify a virtual network gateway uniquely.","operators":[]},{"name":"inbound_dns_forwarding_endpoint","type":"text","description":"The IP address allocated by the gateway to which dns requests can be sent.","operators":[]},{"name":"ip_configurations","type":"jsonb","description":"IP configurations for virtual network gateway.","operators":[]},{"name":"name","type":"text","description":"The friendly name that identifies the virtual network gateway.","operators":["="]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the virtual network gateway resource.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_guid","type":"text","description":"The resource GUID property of the virtual network gateway resource.","operators":[]},{"name":"sku_capacity","type":"bigint","description":"Gateway SKU capacity.","operators":[]},{"name":"sku_name","type":"text","description":"Gateway SKU name.","operators":[]},{"name":"sku_tier","type":"text","description":"Gateway SKU tier.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Type of the resource.","operators":[]},{"name":"vpn_client_configuration","type":"jsonb","description":"The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations.","operators":[]},{"name":"vpn_gateway_generation","type":"text","description":"The generation for this virtual network gateway. Must be None if gatewayType is not VPN. Valid values are: 'None', 'Generation1', 'Generation2'.","operators":[]},{"name":"vpn_type","type":"text","description":"The type of this virtual network gateway. Valid values are: 'PolicyBased', 'RouteBased'.","operators":[]}],"description":"Azure Virtual Network Gateway","queriesCount":1,"examplesCount":1,"readme":"$b9"},{"name":"azure_web_application_firewall_policy","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"akas","type":"jsonb","description":"Array of globally unique identifier strings (also known as) for the resource.","operators":[]},{"name":"application_gateways","type":"jsonb","description":"A collection of references to application gateways.","operators":[]},{"name":"cloud_environment","type":"text","description":"The Azure Cloud Environment.","operators":[]},{"name":"custom_rules","type":"jsonb","description":"The custom rules inside the policy.","operators":[]},{"name":"etag","type":"text","description":"A unique read-only string that changes whenever the resource is updated.","operators":[]},{"name":"http_listeners","type":"jsonb","description":"A collection of references to application gateway http listeners.","operators":[]},{"name":"id","type":"text","description":"Resource ID.","operators":[]},{"name":"managed_rules","type":"jsonb","description":"Describes the managedRules structure.","operators":[]},{"name":"name","type":"text","description":"Resource name.","operators":["="]},{"name":"path_based_rules","type":"jsonb","description":"A collection of references to application gateway path rules.","operators":[]},{"name":"policy_settings","type":"jsonb","description":"The PolicySettings for policy.","operators":[]},{"name":"provisioning_state","type":"text","description":"The provisioning state of the web application firewall policy resource. Possible values include: 'ProvisioningStateSucceeded', 'ProvisioningStateUpdating', 'ProvisioningStateDeleting', 'ProvisioningStateFailed'.","operators":[]},{"name":"region","type":"text","description":"The Azure region/location in which the resource is located.","operators":[]},{"name":"resource_group","type":"text","description":"The resource group which holds this resource.","operators":["="]},{"name":"resource_state","type":"text","description":"Resource status of the policy. Possible values include: 'WebApplicationFirewallPolicyResourceStateCreating', 'WebApplicationFirewallPolicyResourceStateEnabling', 'WebApplicationFirewallPolicyResourceStateEnabled', 'WebApplicationFirewallPolicyResourceStateDisabling', 'WebApplicationFirewallPolicyResourceStateDisabled', 'WebApplicationFirewallPolicyResourceStateDeleting'.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"subscription_id","type":"text","description":"The Azure Subscription ID in which the resource is located.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"tags","type":"jsonb","description":"A map of tags for the resource.","operators":[]},{"name":"title","type":"text","description":"Title of the resource.","operators":[]},{"name":"type","type":"text","description":"Resource type.","operators":[]}],"description":"Azure Web Application Firewall Policy","queriesCount":0,"examplesCount":6,"readme":"$ba"}],"queries":{"api_management":{"apimanagement_service_with_virtual_network":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","sql":"select\n a.id as resource,\n case\n when virtual_network_type != 'None' then 'ok'\n else 'alarm'\n end as status,\n a.name || ' Virtual network is set to ' || virtual_network_type as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_api_management a,\n azure_subscription sub;\n","tags":{},"tables":["azure.azure_api_management","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/apimanagement.pp","startLineNumber":27,"endLineNumber":43,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","mod":"Azure Compliance","title":"API Management services should use a virtual network","description":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should use a virtual network","controlDescription":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/APIManagement"}},"apimanagement_service_client_certificate_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","sql":"select\n a.id as resource,\n case\n when enable_client_certificate then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_client_certificate then a.name || ' client certificate enabled.'\n else a.name || ' client certificate disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_api_management a,\n azure_subscription sub;\n","tags":{},"tables":["azure.azure_api_management","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/apimanagement.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","mod":"Azure Compliance","title":"API Management client certificate should be enabled","description":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","tags":{"service":"Azure/APIManagement"}}],"controlTitle":"API Management client certificate should be enabled","controlDescription":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","controlTags":{"service":"Azure/APIManagement"}}},"app_configuration":{"app_configuration_sku_standard":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","sql":"select\n a.id as resource,\n case\n when sku_name = 'standard' then 'ok'\n else 'alarm'\n end as status,\n a.name || ' has ' || sku_name || ' SKU tier.' as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_configuration as a,\n azure_subscription as sub;\n","tags":{},"tables":["azure.azure_app_configuration","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appconfiguration.pp","startLineNumber":63,"endLineNumber":79,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","mod":"Azure Compliance","title":"App Configuration should use standard SKU","description":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","tags":{"service":"Azure/AppConfiguration"}}],"controlTitle":"App Configuration should use standard SKU","controlDescription":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","controlTags":{"service":"Azure/AppConfiguration"}},"app_configuration_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","sql":"select\n a.id as resource,\n case\n when encryption -> 'keyVaultProperties' ->> 'keyIdentifier' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption -> 'keyVaultProperties' ->> 'keyIdentifier' is not null then a.name || 'encryption enabled.'\n else a.name || ' encryption disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_configuration as a,\n azure_subscription as sub;\n","tags":{},"tables":["azure.azure_app_configuration","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appconfiguration.pp","startLineNumber":81,"endLineNumber":100,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","mod":"Azure Compliance","title":"App Configuration encryption should be enabled","description":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"service":"Azure/AppConfiguration"}}],"controlTitle":"App Configuration encryption should be enabled","controlDescription":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"service":"Azure/AppConfiguration"}},"app_configuration_private_link_used":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/app_configuration_private_link_used","org":"turbot","name":"app_configuration_private_link_used","sql":"$bb","tags":{},"tables":["azure.azure_app_configuration","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appconfiguration.pp","startLineNumber":35,"endLineNumber":61,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_configuration_private_link_used","org":"turbot","name":"app_configuration_private_link_used","mod":"Azure Compliance","title":"App Configuration should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configuration should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppConfiguration"}}},"app_service":{"app_service_environment_internal_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/app_service_environment_internal_encryption_enabled","org":"turbot","name":"app_service_environment_internal_encryption_enabled","sql":"with app_service_environment as (\n select\n distinct id as id\n from\n azure_app_service_environment,\n jsonb_array_elements(cluster_settings ) as s\n where\n s ->> 'name' = 'InternalEncryption'\n and s ->> 'value' = 'true'\n)\nselect\n a.id as resource,\n case\n when b.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is not null then a.title || ' internal encryption enabled.'\n else a.name || ' internal encryption disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_environment as a\n left join app_service_environment as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_environment","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1311,"endLineNumber":1343,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_service_environment_internal_encryption_enabled","org":"turbot","name":"app_service_environment_internal_encryption_enabled","mod":"Azure Compliance","title":"App Service Environment should enable internal encryption","description":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service Environment should enable internal encryption","controlDescription":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","sql":"select\n app.id as resource,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.'\n else name || ' using the latest version of TLS encryption.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":563,"endLineNumber":584,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","mod":"Azure Compliance","title":"Function apps should use the latest TLS version","description":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should use the latest TLS version","controlDescription":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_function_app_restrict_public_acces":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_restrict_public_acces","org":"turbot","name":"appservice_function_app_restrict_public_acces","sql":"with public_function_app as (\n select\n id\n from\n azure_app_service_function_app,\n jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') as r\n where\n r ->> 'ipAddress' = 'Any'\n and r ->> 'action' = 'Allow'\n)\nselect\n fa.id as resource,\n case\n when p.id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when p.id is null then name || ' not publicly accessible.'\n else name || ' publicly accessible.'\n end as reason\n \n , fa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app fa\n left join public_function_app as p on p.id = fa.id,\n azure_subscription sub\nwhere\n sub.subscription_id = fa.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1907,"endLineNumber":1939,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_restrict_public_acces","org":"turbot","name":"appservice_function_app_restrict_public_acces","mod":"Azure Compliance","title":"App Service function apps public access should be restricted","description":"Anonymous public read access to function app in Azure App Service is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a function app unless your scenario requires it.","tags":{"service":"Azure/AppService"}}],"controlTitle":"App Service function apps public access should be restricted","controlDescription":"Anonymous public read access to function app in Azure App Service is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a function app unless your scenario requires it.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_only_https_accessible":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","sql":"select\n app.id as resource,\n case\n when https_only then 'ok'\n else 'alarm'\n end as status,\n case\n when https_only then name || ' https-only accessible enabled.'\n else name || ' https-only accessible disabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":609,"endLineNumber":630,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","mod":"Azure Compliance","title":"Function apps should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_ftp_deployment_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","sql":"$bc","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1620,"endLineNumber":1660,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_10","org":"turbot","name":"cis_v200_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_10","org":"turbot","name":"cis_v150_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_10","org":"turbot","name":"cis_v140_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_10","org":"turbot","name":"cis_v130_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_3","org":"turbot","name":"cis_v300_9_3","mod":"Azure Compliance","title":"9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'","description":"By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services. If FTPS is not expressly required for the App, the recommended setting is Disabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_9","org":"turbot","name":"cis_v210_9_9","mod":"Azure Compliance","title":"9.9 Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","mod":"Azure Compliance","title":"Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure FTP deployments are Disabled","controlDescription":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},"appservice_function_app_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_remote_debugging_disabled","org":"turbot","name":"appservice_function_app_remote_debugging_disabled","sql":"select\n app.id as resource,\n case\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":540,"endLineNumber":561,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_remote_debugging_disabled","org":"turbot","name":"appservice_function_app_remote_debugging_disabled","mod":"Azure Compliance","title":"Function apps should have remote debugging turned off","description":"Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should have remote debugging turned off","controlDescription":"Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_function_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","sql":"with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1160,"endLineNumber":1198,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","mod":"Azure Compliance","title":"FTPS only should be required in your Function App","description":"Enable FTPS enforcement for enhanced security.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"FTPS only should be required in your Function App","controlDescription":"Enable FTPS enforcement for enhanced security.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","sql":"$bd","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":972,"endLineNumber":1015,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","mod":"Azure Compliance","title":"Function apps should use managed identity","description":"Use a managed identity for enhanced authentication security.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","sql":"select\n app.id as resource,\n case\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when client_cert_enabled then app.name || ' client certificate enabled.'\n else app.name || ' client certificate disabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1097,"endLineNumber":1118,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","mod":"Azure Compliance","title":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_function_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","sql":"select\n b.id as resource,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]'\n then b.name || ' CORS allow all domains to access the application.'\n else b.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as b,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":818,"endLineNumber":840,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","mod":"Azure Compliance","title":"Function apps should not have CORS configured to allow every resource to access your apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should not have CORS configured to allow every resource to access your apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","sql":"$be","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1240,"endLineNumber":1286,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","mod":"Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","sql":"$bf","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1345,"endLineNumber":1393,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","mod":"Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","sql":"$c0","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1495,"endLineNumber":1543,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","mod":"Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_authentication_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_function_app_authentication_on","org":"turbot","name":"appservice_function_app_authentication_on","sql":"select\n fa.id as resource,\n case\n when auth_settings -> 'properties' ->> 'enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when auth_settings -> 'properties' ->> 'enabled' = 'true' then name || ' authentication enabled.'\n else name || ' authentication disabled.'\n end as reason\n \n , fa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app fa,\n azure_subscription sub\nwhere\n sub.subscription_id = fa.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_function_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1884,"endLineNumber":1905,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_authentication_on","org":"turbot","name":"appservice_function_app_authentication_on","mod":"Azure Compliance","title":"Ensure App Service authentication is set up for function apps in Azure App Service","description":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure App Service authentication is set up for function apps in Azure App Service","controlDescription":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_worker_more_than_one":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","sql":"select\n p ->> 'ID' as resource,\n case\n when (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers')::int > 1 then 'ok'\n else 'alarm'\n end as status,\n a.name || ' has ' || (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers') || ' no of worker(s).' as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_plan as a,\n jsonb_array_elements(apps) as p,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_plan","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1773,"endLineNumber":1792,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","mod":"Azure Compliance","title":"Web app should have more than one worker","description":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app should have more than one worker","controlDescription":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","controlTags":{"service":"Azure/AppService"}},"appservice_plan_minimum_sku":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","sql":"select\n a.id as resource,\n case\n -- The below basic plans are used for development and testing purposes.\n when sku_name in ('F1', 'D1', 'B1', 'B2', 'B3') then 'alarm'\n else 'ok'\n end as status,\n a.name || ' is of ' || sku_family || ' SKU family.' as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_plan as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_plan","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1840,"endLineNumber":1859,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","mod":"Azure Compliance","title":"Appservice plan should not use free, shared or basic SKU","description":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Appservice plan should not use free, shared or basic SKU","controlDescription":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_http_logs_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","sql":"select\n a.id as resource,\n case\n when configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' then a.name || ' HTTP logs enabled.'\n else a.name || ' HTTP logs disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1750,"endLineNumber":1771,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","mod":"Azure Compliance","title":"Web app HTTP logs should be enabled","description":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app HTTP logs should be enabled","controlDescription":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_diagnostic_logs_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","sql":"$c1","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":760,"endLineNumber":792,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","mod":"Azure Compliance","title":"App Service apps should have resource logs enabled","description":"Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have resource logs enabled","controlDescription":"Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_api_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_cors_no_star","org":"turbot","name":"appservice_api_app_cors_no_star","sql":"with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then a.name || ' CORS allow all domains to access the application.'\n else a.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":842,"endLineNumber":880,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_cors_no_star","org":"turbot","name":"appservice_api_app_cors_no_star","mod":"Azure Compliance","title":"App Service apps should not have CORS configured to allow every resource to access your apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should not have CORS configured to allow every resource to access your apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_api_app_use_https":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_use_https","org":"turbot","name":"appservice_api_app_use_https","sql":"with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when not https_only then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when not https_only then a.name || ' does not redirect all HTTP traffic to HTTPS.'\n else a.name || ' redirects all HTTP traffic to HTTPS.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":655,"endLineNumber":693,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_use_https","org":"turbot","name":"appservice_api_app_use_https","mod":"Azure Compliance","title":"App Service API apps should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","pci_dss_v321":"true","service":"Azure/AppService"}}],"controlTitle":"App Service API apps should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","pci_dss_v321":"true","service":"Azure/AppService"}},"appservice_web_app_health_check_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","sql":"select\n a.id as resource,\n case\n when configuration -> 'properties' ->> 'healthCheckPath' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when configuration -> 'properties' ->> 'healthCheckPath' is not null then a.name || ' health check enabled.'\n else a.name || ' health check disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\n from\n azure_app_service_web_app as a,\n azure_subscription as sub\n where\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1861,"endLineNumber":1882,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","mod":"Azure Compliance","title":"Web apps should have health check enabled","description":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web apps should have health check enabled","controlDescription":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","sql":"$c2","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1395,"endLineNumber":1443,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_7","org":"turbot","name":"cis_v210_9_7","mod":"Azure Compliance","title":"9.7 Ensure that 'Java version' is the latest, if used to run the Web App","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_9","org":"turbot","name":"cis_v300_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'Java version' is currently supported (if in use)","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","mod":"Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","sql":"with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when client_cert_enabled then a.name || ' client certificate enabled.'\n else a.name || ' client certificate disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1057,"endLineNumber":1095,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","mod":"Azure Compliance","title":"App Service apps should have 'Client Certificates (Incoming client certificates)' enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have 'Client Certificates (Incoming client certificates)' enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}},"appservice_api_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_client_certificates_on","org":"turbot","name":"appservice_api_app_client_certificates_on","sql":"with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when client_cert_enabled then a.name || ' client certificate enabled.'\n else a.name || ' client certificate disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1017,"endLineNumber":1055,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_client_certificates_on","org":"turbot","name":"appservice_api_app_client_certificates_on","mod":"Azure Compliance","title":"App Service apps should have Client Certificates (Incoming client certificates) enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have Client Certificates (Incoming client certificates) enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_api_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_ftps_enabled","org":"turbot","name":"appservice_api_app_ftps_enabled","sql":"with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1120,"endLineNumber":1158,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_ftps_enabled","org":"turbot","name":"appservice_api_app_ftps_enabled","mod":"Azure Compliance","title":"FTPS only should be required in your API App","description":"Enable FTPS enforcement for enhanced security.","tags":{"fedramp_high":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"FTPS only should be required in your API App","controlDescription":"Enable FTPS enforcement for enhanced security.","controlTags":{"fedramp_high":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_use_https":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","sql":"select\n app.id as resource,\n case\n when not https_only then 'alarm'\n else 'ok'\n end as status,\n case\n when not https_only then name || ' does not redirect all HTTP traffic to HTTPS.'\n else name || ' redirects all HTTP traffic to HTTPS.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":469,"endLineNumber":490,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_1","org":"turbot","name":"cis_v300_9_1","mod":"Azure Compliance","title":"9.1 Ensure 'HTTPS Only' is set to `On`","description":"Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_2","org":"turbot","name":"cis_v210_9_2","mod":"Azure Compliance","title":"9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_2","org":"turbot","name":"cis_v200_9_2","mod":"Azure Compliance","title":"9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_2","org":"turbot","name":"cis_v150_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_2","org":"turbot","name":"cis_v140_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_2","org":"turbot","name":"cis_v130_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","mod":"Azure Compliance","title":"Web Application should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/AppService"}}],"controlTitle":"Web Application should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true"}},"appservice_web_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","sql":"select\n app.id as resource,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.'\n else name || ' using the latest version of TLS encryption.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":586,"endLineNumber":607,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_3","org":"turbot","name":"cis_v210_9_3","mod":"Azure Compliance","title":"9.3 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_3","org":"turbot","name":"cis_v200_9_3","mod":"Azure Compliance","title":"9.3 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_3","org":"turbot","name":"cis_v150_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_3","org":"turbot","name":"cis_v140_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_3","org":"turbot","name":"cis_v130_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_4","org":"turbot","name":"cis_v300_9_4","mod":"Azure Compliance","title":"9.4 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","mod":"Azure Compliance","title":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Latest TLS version should be used in your Web App","controlDescription":"Upgrade to the latest TLS version.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","sql":"select\n app.id as resource,\n case\n when kind = 'api' then 'skip'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when kind = 'api' then name || ' is of ' || kind || ' type.'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":515,"endLineNumber":538,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_12","org":"turbot","name":"cis_v300_9_12","mod":"Azure Compliance","title":"9.12 Ensure that 'Remote debugging' is set to 'Off'","description":"Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.12","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","mod":"Azure Compliance","title":"Remote debugging should be turned off for Web Applications","description":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Remote debugging should be turned off for Web Applications","controlDescription":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.12","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","sql":"with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1200,"endLineNumber":1238,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","mod":"Azure Compliance","title":"FTPS should be required in your Web App","description":"Enable FTPS enforcement for enhanced security.","tags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}}],"controlTitle":"FTPS should be required in your Web App","controlDescription":"Enable FTPS enforcement for enhanced security.","controlTags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}},"appservice_web_app_failed_request_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","sql":"select\n a.id as resource,\n case\n when diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' then a.name || ' failed requests tracing enabled.'\n else a.name || ' failed requests tracing disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1727,"endLineNumber":1748,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","mod":"Azure Compliance","title":"Web app failed request tracing should be enabled","description":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app failed request tracing should be enabled","controlDescription":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","sql":"select\n app.id as resource,\n case\n when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then name || ' is not using the latest HTTP version.'\n else name || ' HTTP version is the latest.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1288,"endLineNumber":1309,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_10","org":"turbot","name":"cis_v300_9_10","mod":"Azure Compliance","title":"9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_8","org":"turbot","name":"cis_v210_9_8","mod":"Azure Compliance","title":"9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_9","org":"turbot","name":"cis_v200_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_9","org":"turbot","name":"cis_v150_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_9","org":"turbot","name":"cis_v140_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_9","org":"turbot","name":"cis_v130_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","mod":"Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"appservice_api_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_uses_managed_identity","org":"turbot","name":"appservice_api_app_uses_managed_identity","sql":"$c3","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":927,"endLineNumber":970,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_uses_managed_identity","org":"turbot","name":"appservice_api_app_uses_managed_identity","mod":"Azure Compliance","title":"Managed identity should be used in your API App","description":"Use a managed identity for enhanced authentication security.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Managed identity should be used in your API App","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_incoming_client_cert_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","sql":"select\n app.id as resource,\n case\n when not client_cert_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not client_cert_enabled then name || ' incoming client certificates set to off.'\n else name || ' incoming client certificates set to on.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":492,"endLineNumber":513,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_4","org":"turbot","name":"cis_v200_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_4","org":"turbot","name":"cis_v150_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_4","org":"turbot","name":"cis_v140_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_4","org":"turbot","name":"cis_v130_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","mod":"Azure Compliance","title":"Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","nist_sp_800_171_rev_2":"true"}},"appservice_api_app_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_remote_debugging_disabled","org":"turbot","name":"appservice_api_app_remote_debugging_disabled","sql":"select\n app.id as resource,\n case\n when kind <> 'api' then 'skip'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when kind <> 'api' then name || ' is of ' || kind || ' type.'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":695,"endLineNumber":718,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_remote_debugging_disabled","org":"turbot","name":"appservice_api_app_remote_debugging_disabled","mod":"Azure Compliance","title":"App Service apps should have remote debugging turned off","description":"Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have remote debugging turned off","controlDescription":"Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","sql":"select\n app.id as resource,\n case\n when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then name || ' authentication not set.'\n else name || ' authentication set.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1597,"endLineNumber":1618,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_1","org":"turbot","name":"cis_v130_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set on Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_1","org":"turbot","name":"cis_v210_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_1","org":"turbot","name":"cis_v200_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_1","org":"turbot","name":"cis_v150_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_1","org":"turbot","name":"cis_v140_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_2","org":"turbot","name":"cis_v300_9_2","mod":"Azure Compliance","title":"9.2 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","mod":"Azure Compliance","title":"Ensure App Service authentication is set up for apps in Azure App Service","description":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure App Service authentication is set up for apps in Azure App Service","controlDescription":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_api_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_api_app_latest_tls_version","org":"turbot","name":"appservice_api_app_latest_tls_version","sql":"with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then a.name || ' not using the latest version of TLS encryption.'\n else a.name || ' using the latest version of TLS encryption.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":720,"endLineNumber":758,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_api_app_latest_tls_version","org":"turbot","name":"appservice_api_app_latest_tls_version","mod":"Azure Compliance","title":"App Service apps should use the latest TLS version","description":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should use the latest TLS version","controlDescription":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_web_app_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","sql":"select\n a.id as resource,\n case\n when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then a.name || ' configured with virtual network service endpoint.'\n else a.name || ' not configured with virtual network service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":632,"endLineNumber":653,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","mod":"Azure Compliance","title":"App Service apps should use a virtual network service endpoint","description":"Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should use a virtual network service endpoint","controlDescription":"Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}},"appservice_web_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","sql":"$c4","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":882,"endLineNumber":925,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","mod":"Azure Compliance","title":"App Service apps should use managed identity","description":"Use a managed identity for enhanced authentication security.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","sql":"$c5","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1545,"endLineNumber":1593,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_6","org":"turbot","name":"cis_v210_9_6","mod":"Azure Compliance","title":"9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.6","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_8","org":"turbot","name":"cis_v300_9_8","mod":"Azure Compliance","title":"9.8 Ensure that 'Python version' is currently supported (if in use)","description":"Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for app services is recommended to avoid potential unpatched vulnerabilities.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","mod":"Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_php_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","sql":"$c6","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1445,"endLineNumber":1493,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_5","org":"turbot","name":"cis_v210_9_5","mod":"Azure Compliance","title":"9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App","description":"Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_7","org":"turbot","name":"cis_v300_9_7","mod":"Azure Compliance","title":"9.7 Ensure that 'PHP version' is currently supported (if in use)","description":"Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for app services is recommended to avoid potential unpatched vulnerabilities.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","mod":"Azure Compliance","title":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","controlDescription":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_dotnet_framework_version":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","sql":"$c7","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1685,"endLineNumber":1725,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","mod":"Azure Compliance","title":"Web app should use the latest 'Net Framework' version","description":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app should use the latest 'Net Framework' version","controlDescription":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","sql":"select\n a.id as resource,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]'\n then a.name || ' CORS allow all domains to access the application.'\n else a.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":794,"endLineNumber":816,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","mod":"Azure Compliance","title":"App Service apps should not have CORS configured to allow every resource to access your apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should not have CORS configured to allow every resource to access your apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_always_on":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","sql":"select\n a.id as resource,\n case\n when configuration -> 'properties' ->> 'alwaysOn' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when configuration -> 'properties' ->> 'alwaysOn' = 'true' then a.name || ' alwaysOn is enabled.'\n else a.name || ' alwaysOn is disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1817,"endLineNumber":1838,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","mod":"Azure Compliance","title":"Web apps should be configured to always be on","description":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web apps should be configured to always be on","controlDescription":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_register_with_active_directory_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","sql":"select\n app.id as resource,\n case\n when identity = '{}' then 'alarm'\n else 'ok'\n end as status,\n case\n when identity = '{}' then name || ' register with azure active directory disabled.'\n else name || ' register with azure active directory enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1662,"endLineNumber":1683,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_4","org":"turbot","name":"cis_v210_9_4","mod":"Azure Compliance","title":"9.4 Ensure that Register with Entra ID is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_5","org":"turbot","name":"cis_v200_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_5","org":"turbot","name":"cis_v150_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_5","org":"turbot","name":"cis_v140_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_5","org":"turbot","name":"cis_v130_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_5","org":"turbot","name":"cis_v300_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Entra ID is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","mod":"Azure Compliance","title":"Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that Register with Azure Active Directory is enabled on App Service","controlDescription":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_slot_use_https":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","sql":"select\n s.id as resource,\n case\n when https_only then 'ok'\n else 'alarm'\n end as status,\n case\n when https_only then name || ' https-only accessible enabled.'\n else name || ' https-only accessible disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app_slot as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n","tags":{},"tables":["azure.azure_app_service_web_app_slot","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/appservice.pp","startLineNumber":1794,"endLineNumber":1815,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","mod":"Azure Compliance","title":"Web app slot should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app slot should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"service":"Azure/AppService"}}},"network":{"network_ddos_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_ddos_enabled","org":"turbot","name":"network_ddos_enabled","sql":"with application_gateway_subnet as (\n select\n distinct (split_part(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) as vn_name\n from\n azure_application_gateway as ag,\n jsonb_array_elements(gateway_ip_configurations) as c\n)\nselect\n a.name as resource,\n case\n when b.vn_name is null then 'ok'\n when b.vn_name is not null and enable_ddos_protection::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vn_name is null then 'DDoS protection not required.'\n when b.vn_name is not null and enable_ddos_protection::bool then a.name || ' DDoS protection enabled.'\n else a.name || ' DDoS protection disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network as a\n left join application_gateway_subnet as b on a.name = b.vn_name\n join azure_subscription sub on sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_application_gateway","azure.azure_subscription","azure.azure_virtual_network"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":639,"endLineNumber":668,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_ddos_enabled","org":"turbot","name":"network_ddos_enabled","mod":"Azure Compliance","title":"Azure DDoS Protection Standard should be enabled","description":"DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Network"}}],"controlTitle":"Azure DDoS Protection Standard should be enabled","controlDescription":"DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Network"}},"application_gateway_waf_uses_specified_mode":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/application_gateway_waf_uses_specified_mode","org":"turbot","name":"application_gateway_waf_uses_specified_mode","sql":"select\n ag.id as resource,\n case\n when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then 'ok'\n else 'alarm'\n end as status,\n case\n when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then ag.name || ' WAF mode is set to ' || (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') || '.'\n else ag.name || ' WAF mode is not set to Prevention or Detection mode.' \n end as reason\n \n , ag.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_application_gateway as ag\n join azure_subscription as sub on sub.subscription_id = ag.subscription_id;\n","tags":{},"tables":["azure.azure_application_gateway","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":2136,"endLineNumber":2155,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.application_gateway_waf_uses_specified_mode","org":"turbot","name":"application_gateway_waf_uses_specified_mode","mod":"Azure Compliance","title":"Web Application Firewall (WAF) should use the specified mode for Application Gateway","description":"Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Web Application Firewall (WAF) should use the specified mode for Application Gateway","controlDescription":"Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"application_gateway_waf_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","sql":"select\n ag.id resource,\n case\n when web_application_firewall_configuration is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when web_application_firewall_configuration is not null then ag.name || ' WAF enabled.'\n else ag.name || ' WAF disabled.'\n end as reason\n \n , ag.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_application_gateway as ag\n join azure_subscription as sub on sub.subscription_id = ag.subscription_id;\n","tags":{},"tables":["azure.azure_application_gateway","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":618,"endLineNumber":637,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","mod":"Azure Compliance","title":"Web Application Firewall (WAF) should be enabled for Application Gateway","description":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Web Application Firewall (WAF) should be enabled for Application Gateway","controlDescription":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_bastion_host_min_1":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_bastion_host_min_1","org":"turbot","name":"network_bastion_host_min_1","sql":"with bastion_hosts as (\n select\n subscription_id,\n _ctx,\n region,\n resource_group,\n count(*) as no_bastion_host\n from\n azure_bastion_host\n group by\n subscription_id,\n _ctx,\n resource_group,\n region\n)\nselect\n sub.id as resource,\n case\n when i.subscription_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.subscription_id is null then sub.display_name || ' does not have bastion host.'\n else sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).'\n end as reason\n , i.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_subscription as sub\n left join bastion_hosts as i on i.subscription_id = sub.subscription_id;\n","tags":{},"tables":["azure.azure_bastion_host","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":739,"endLineNumber":772,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_7_1","org":"turbot","name":"cis_v210_7_1","mod":"Azure Compliance","title":"7.1 Ensure an Azure Bastion Host Exists","description":"The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_7_1","org":"turbot","name":"cis_v200_7_1","mod":"Azure Compliance","title":"7.1 Ensure an Azure Bastion Host Exists","description":"The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_1","org":"turbot","name":"cis_v300_8_1","mod":"Azure Compliance","title":"8.1 Ensure an Azure Bastion Host Exists","description":"The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.1","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_bastion_host_min_1","org":"turbot","name":"network_bastion_host_min_1","mod":"Azure Compliance","title":"Ensure an Azure Bastion Host exists","description":"The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure an Azure Bastion Host exists","controlDescription":"The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.1","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_lb_no_basic_sku":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_lb_no_basic_sku","org":"turbot","name":"network_lb_no_basic_sku","sql":"select\n l.id as resource,\n case\n when l.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when l.sku_name = 'Basic' then l.title || ' using basic SKU.'\n else l.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , l.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_lb as l,\n azure_subscription as sub\nwhere\n sub.subscription_id = l.subscription_id;\n","tags":{},"tables":["azure.azure_lb","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":693,"endLineNumber":714,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_lb_no_basic_sku","org":"turbot","name":"network_lb_no_basic_sku","mod":"Azure Compliance","title":"Network load balancers should use standard SKUs as a minimum","description":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network load balancers should use standard SKUs as a minimum","controlDescription":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","controlTags":{"service":"Azure/Network"}},"network_watcher_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_watcher_enabled","org":"turbot","name":"network_watcher_enabled","sql":"select\n loc.id resource,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n , sub.display_name as subscription\nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n","tags":{},"tables":["azure.azure_location","azure.azure_network_watcher","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":491,"endLineNumber":512,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_5","org":"turbot","name":"cis_v140_6_5","mod":"Azure Compliance","title":"6.5 Ensure that Network Watcher is 'Enabled'","description":"Enable Network Watcher for Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.5","cis_level":"1","cis_section_id":"6","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_5","org":"turbot","name":"cis_v130_6_5","mod":"Azure Compliance","title":"6.5 Ensure that Network Watcher is 'Enabled'","description":"Enable Network Watcher for Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.5","cis_level":"1","cis_section_id":"6","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_6","org":"turbot","name":"cis_v210_6_6","mod":"Azure Compliance","title":"6.6 Ensure that Network Watcher is 'Enabled'","description":"Enable Network Watcher for Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.6","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_6","org":"turbot","name":"cis_v200_6_6","mod":"Azure Compliance","title":"6.6 Ensure that Network Watcher is 'Enabled'","description":"Enable Network Watcher for Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.6","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_6","org":"turbot","name":"cis_v150_6_6","mod":"Azure Compliance","title":"6.6 Ensure that Network Watcher is 'Enabled'","description":"Enable Network Watcher for Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.6","cis_level":"2","cis_section_id":"6","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_6","org":"turbot","name":"cis_v300_7_6","mod":"Azure Compliance","title":"7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use","description":"Enable Network Watcher for physical regions in Azure subscriptions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.6","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_watcher_enabled","org":"turbot","name":"network_watcher_enabled","mod":"Azure Compliance","title":"Network Watcher should be enabled","description":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Network"}}],"controlTitle":"Network Watcher should be enabled","controlDescription":"Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.6","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"network_security_group_restrict_inbound_udp_port_1434":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_udp_port_1434","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_1434","sql":"$c8","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1682,"endLineNumber":1734,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_udp_port_1434","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_1434","mod":"Azure Compliance","title":"Network security groups should restrict inbound UDP port 1434 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 1434.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound UDP port 1434 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 1434.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_udp_port_445":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_udp_port_445","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_445","sql":"$c9","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":986,"endLineNumber":1036,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_udp_port_445","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_445","mod":"Azure Compliance","title":"Network security groups should restrict inbound UDP port 445 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 445.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound UDP port 445 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 445.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_5432":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_5432","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5432","sql":"$ca","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1520,"endLineNumber":1572,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_5432","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5432","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 5432 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5432.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 5432 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5432.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_3306":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_3306","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_3306","sql":"$cb","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1250,"endLineNumber":1302,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_3306","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_3306","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 3306 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 3306.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 3306 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 3306.","controlTags":{"service":"Azure/Network"}},"network_security_group_rdp_access_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","sql":"$cc","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":446,"endLineNumber":489,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_1","org":"turbot","name":"cis_v210_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_1","org":"turbot","name":"cis_v200_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_1","org":"turbot","name":"cis_v140_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access is restricted from the internet","description":"Disable RDP access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_1","org":"turbot","name":"cis_v130_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access is restricted from the internet","description":"Disable RDP access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_1","org":"turbot","name":"cis_v150_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP from the internet access is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_1","org":"turbot","name":"cis_v300_7_1","mod":"Azure Compliance","title":"7.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'User Rights Assignment'","description":"Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Windows machines should meet requirements for 'User Rights Assignment'","controlDescription":"Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network","hipaa_hitrust_v92":"true"}},"network_security_group_restrict_inbound_tcp_port_4333":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_4333","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_4333","sql":"$cd","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1196,"endLineNumber":1248,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_4333","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_4333","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 4333 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 4333.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 4333 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 4333.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_1433":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_1433","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_1433","sql":"$ce","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1628,"endLineNumber":1680,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_1433","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_1433","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 1433 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 1433.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 1433 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 1433.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_25":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_25","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_25","sql":"$cf","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1574,"endLineNumber":1626,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_25","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_25","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 25 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 25.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 25 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 25.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_20":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_20","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_20","sql":"$d0","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1038,"endLineNumber":1088,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_20","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_20","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 20 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 20 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20.","controlTags":{"service":"Azure/Network"}},"network_security_group_diagnostic_setting_deployed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_diagnostic_setting_deployed","org":"turbot","name":"network_security_group_diagnostic_setting_deployed","sql":"with logging_details as (\n select\n distinct name as nsg_name\n from\n azure_network_security_group,\n jsonb_array_elements(diagnostic_settings) setting\n where\n diagnostic_settings is not null\n and setting ->> 'name' = 'setbypolicy'\n)\nselect\n a.resource_guid as resource,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.nsg_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging not enabled.'\n when l.nsg_name is null then a.name || ' logging not enabled.'\n else a.name || ' logging enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as a\n left join logging_details as l on a.name = l.nsg_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":582,"endLineNumber":616,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_diagnostic_setting_deployed","org":"turbot","name":"network_security_group_diagnostic_setting_deployed","mod":"Azure Compliance","title":"Deploy Diagnostic Settings for Network Security Groups","description":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Deploy Diagnostic Settings for Network Security Groups","controlDescription":"This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}},"network_sg_flowlog_retention_period_greater_than_90":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_sg_flowlog_retention_period_greater_than_90","org":"turbot","name":"network_sg_flowlog_retention_period_greater_than_90","sql":"select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n","tags":{},"tables":["azure.azure_network_security_group","azure.azure_network_watcher_flow_log","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":928,"endLineNumber":951,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_4","org":"turbot","name":"cis_v140_6_4","mod":"Azure Compliance","title":"6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.4","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_4","org":"turbot","name":"cis_v130_6_4","mod":"Azure Compliance","title":"6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.4","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_5","org":"turbot","name":"cis_v210_6_5","mod":"Azure Compliance","title":"6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.5","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_5","org":"turbot","name":"cis_v200_6_5","mod":"Azure Compliance","title":"6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.5","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_5","org":"turbot","name":"cis_v150_6_5","mod":"Azure Compliance","title":"6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.5","cis_level":"2","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_5","org":"turbot","name":"cis_v300_7_5","mod":"Azure Compliance","title":"7.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.5","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_sg_flowlog_retention_period_greater_than_90","org":"turbot","name":"network_sg_flowlog_retention_period_greater_than_90","mod":"Azure Compliance","title":"Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","description":"Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'","controlDescription":"Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.5","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_5500":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_5500","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5500","sql":"$d1","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1790,"endLineNumber":1842,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_5500","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5500","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 5500 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5500.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 5500 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5500.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_23":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_23","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_23","sql":"$d2","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1736,"endLineNumber":1788,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_23","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_23","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 23 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 23.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 23 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 23.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_53":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_53","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_53","sql":"$d3","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1304,"endLineNumber":1356,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_53","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_53","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 53 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 53.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 53 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 53.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_445":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_445","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_445","sql":"$d4","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1952,"endLineNumber":2004,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_445","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_445","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 445 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 445.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 445 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 445.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_udp_port_138":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_udp_port_138","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_138","sql":"$d5","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1466,"endLineNumber":1518,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_udp_port_138","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_138","mod":"Azure Compliance","title":"Network security groups should restrict inbound UDP port 137 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound UDP port 137 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137.","controlTags":{"service":"Azure/Network"}},"network_security_group_ssh_access_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","sql":"$d6","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":833,"endLineNumber":876,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_2","org":"turbot","name":"cis_v210_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_2","org":"turbot","name":"cis_v200_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_2","org":"turbot","name":"cis_v150_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the internet is evaluated and restricted ","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_2","org":"turbot","name":"cis_v140_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_2","org":"turbot","name":"cis_v130_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_2","org":"turbot","name":"cis_v300_7_2","mod":"Azure Compliance","title":"7.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","mod":"Azure Compliance","title":"Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure that SSH access is restricted from the internet","controlDescription":"Disable SSH access on network security groups from the Internet.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_21":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_21","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_21","sql":"$d7","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1090,"endLineNumber":1140,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_21","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_21","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 21 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 21 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_135":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_135","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_135","sql":"$d8","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1898,"endLineNumber":1950,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_135","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_135","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 135 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 135.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 135 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 135.","controlTags":{"service":"Azure/Network"}},"network_security_group_https_access_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_https_access_restricted","org":"turbot","name":"network_security_group_https_access_restricted","sql":"$d9","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":774,"endLineNumber":831,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_4","org":"turbot","name":"cis_v210_6_4","mod":"Azure Compliance","title":"6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_4","org":"turbot","name":"cis_v200_6_4","mod":"Azure Compliance","title":"6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_4","org":"turbot","name":"cis_v150_6_4","mod":"Azure Compliance","title":"6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted ","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_4","org":"turbot","name":"cis_v300_7_4","mod":"Azure Compliance","title":"7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.4","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_https_access_restricted","org":"turbot","name":"network_security_group_https_access_restricted","mod":"Azure Compliance","title":"Ensure that HTTP(S) access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure that HTTP(S) access from the Internet is evaluated and restricted","controlDescription":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.4","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_sg_flowlog_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_sg_flowlog_enabled","org":"turbot","name":"network_sg_flowlog_enabled","sql":"select\n sg.id resource,\n case\n when sg.flow_logs is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when sg.flow_logs is not null then sg.name || ' flowlog enabled.'\n else sg.name || ' flowlog disabled.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as sg\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":2050,"endLineNumber":2069,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_sg_flowlog_enabled","org":"turbot","name":"network_sg_flowlog_enabled","mod":"Azure Compliance","title":"Flow logs should be configured for every network security group","description":"Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Flow logs should be configured for every network security group","controlDescription":"Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_security_group_udp_service_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_udp_service_restricted","org":"turbot","name":"network_security_group_udp_service_restricted","sql":"$da","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":878,"endLineNumber":926,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_3","org":"turbot","name":"cis_v210_6_3","mod":"Azure Compliance","title":"6.3 Ensure that UDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_3","org":"turbot","name":"cis_v200_6_3","mod":"Azure Compliance","title":"6.3 Ensure that UDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_3","org":"turbot","name":"cis_v150_6_3","mod":"Azure Compliance","title":"6.3 Ensure that UDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_6","org":"turbot","name":"cis_v140_6_6","mod":"Azure Compliance","title":"6.6 Ensure that UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security groups.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.6","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_6","org":"turbot","name":"cis_v130_6_6","mod":"Azure Compliance","title":"6.6 Ensure that UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security groups.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.6","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_3","org":"turbot","name":"cis_v300_7_3","mod":"Azure Compliance","title":"7.3 Ensure that UDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_udp_service_restricted","org":"turbot","name":"network_security_group_udp_service_restricted","mod":"Azure Compliance","title":"Ensure that UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security groups.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure that UDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed UDP ports on network security groups.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_security_group_restrict_inbound_udp_port_53":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_udp_port_53","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_53","sql":"$db","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1358,"endLineNumber":1410,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_udp_port_53","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_53","mod":"Azure Compliance","title":"Network security groups should restrict inbound UDP port 53 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 53.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound UDP port 53 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 53.","controlTags":{"service":"Azure/Network"}},"network_security_group_restrict_inbound_udp_port_137":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_udp_port_137","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_137","sql":"$dc","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1412,"endLineNumber":1464,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_udp_port_137","org":"turbot","name":"network_security_group_restrict_inbound_udp_port_137","mod":"Azure Compliance","title":"Network security groups should restrict inbound UDP port 137 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound UDP port 137 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137.","controlTags":{"service":"Azure/Network"}},"network_security_group_subnet_associated":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","sql":"select\n sg.id resource,\n case\n when subnets is null then 'alarm'\n else 'ok'\n end as status,\n case\n when subnets is null then name || ' not associated with subnet.'\n else name || ' associated with ' || split_part(rtrim((subnet -> 'id') :: text, '\"'), '/subnets/',2) || '.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as sg\n join azure_subscription as sub on sub.subscription_id = sg.subscription_id\n left join jsonb_array_elements(subnets) as subnet on true;\n","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":514,"endLineNumber":534,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","mod":"Azure Compliance","title":"Subnets should be associated with a Network Security Group","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Subnets should be associated with a Network Security Group","controlDescription":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_security_group_restrict_inbound_tcp_port_5900":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_tcp_port_5900","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5900","sql":"$dd","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1844,"endLineNumber":1896,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_tcp_port_5900","org":"turbot","name":"network_security_group_restrict_inbound_tcp_port_5900","mod":"Azure Compliance","title":"Network security groups should restrict inbound TCP port 5900 access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5900.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound TCP port 5900 access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5900.","controlTags":{"service":"Azure/Network"}},"network_security_group_remote_access_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_remote_access_restricted","org":"turbot","name":"network_security_group_remote_access_restricted","sql":"$de","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":394,"endLineNumber":444,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_remote_access_restricted","org":"turbot","name":"network_security_group_remote_access_restricted","mod":"Azure Compliance","title":"Management ports should be closed on your virtual machines","description":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Management ports should be closed on your virtual machines","controlDescription":"Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_security_group_restrict_inbound_icmp_port":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_restrict_inbound_icmp_port","org":"turbot","name":"network_security_group_restrict_inbound_icmp_port","sql":"$df","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":1142,"endLineNumber":1194,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_restrict_inbound_icmp_port","org":"turbot","name":"network_security_group_restrict_inbound_icmp_port","mod":"Azure Compliance","title":"Network security groups should restrict inbound ICMP port access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to ICMP port.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict inbound ICMP port access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to ICMP port.","controlTags":{"service":"Azure/Network"}},"network_security_group_outbound_access_restricted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_outbound_access_restricted","org":"turbot","name":"network_security_group_outbound_access_restricted","sql":"$e0","tags":{},"tables":["azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":2006,"endLineNumber":2048,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_outbound_access_restricted","org":"turbot","name":"network_security_group_outbound_access_restricted","mod":"Azure Compliance","title":"Network security groups should restrict outbound access from internet","description":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted outbound access.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network security groups should restrict outbound access from internet","controlDescription":"Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted outbound access.","controlTags":{"service":"Azure/Network"}},"network_watcher_in_regions_with_virtual_network":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_watcher_in_regions_with_virtual_network","org":"turbot","name":"network_watcher_in_regions_with_virtual_network","sql":"select\n a.id resource,\n case\n when b.region is null then 'alarm'\n when lower(b.resource_group) = 'networkwatcherrg' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.region is null then 'Network watcher does not exist in region' || a.region || '.'\n when lower(b.resource_group) = 'networkwatcherrg' then b.name || ' exist in networkWatcherRG resource group.'\n else b.name || ' does not exist in networkWatcherRG resource group.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network as a\n left join azure_network_watcher as b on a.region = b.region\n left join azure_subscription sub on sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_network_watcher","azure.azure_subscription","azure.azure_virtual_network"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":558,"endLineNumber":580,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_watcher_in_regions_with_virtual_network","org":"turbot","name":"network_watcher_in_regions_with_virtual_network","mod":"Azure Compliance","title":"Deploy network watcher when virtual networks are created","description":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Deploy network watcher when virtual networks are created","controlDescription":"This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}},"network_watcher_flow_log_traffic_analytics_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_watcher_flow_log_traffic_analytics_enabled","org":"turbot","name":"network_watcher_flow_log_traffic_analytics_enabled","sql":"select\n sg.id resource,\n case\n when sg.enabled and traffic_analytics ->> 'enabled' = 'true' and (traffic_analytics ->> 'trafficAnalyticsInterval')::int between 10 and 60 then 'ok'\n else 'alarm'\n end as status,\n case\n when sg.enabled and traffic_analytics ->> 'enabled' = 'true' and (traffic_analytics ->> 'trafficAnalyticsInterval')::int between 10 and 60 then sg.name || ' flowlog traffic analytics enabled.'\n else sg.name || ' flowlog traffic analytics disabled.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_watcher_flow_log as sg\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n","tags":{},"tables":["azure.azure_network_watcher_flow_log","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":2115,"endLineNumber":2134,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_watcher_flow_log_traffic_analytics_enabled","org":"turbot","name":"network_watcher_flow_log_traffic_analytics_enabled","mod":"Azure Compliance","title":"Network Watcher flow logs should have traffic analytics enabled","description":"Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Network Watcher flow logs should have traffic analytics enabled","controlDescription":"Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_watcher_flow_log_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_watcher_flow_log_enabled","org":"turbot","name":"network_watcher_flow_log_enabled","sql":"select\n sg.id resource,\n case\n when sg.enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when sg.enabled then sg.name || ' flowlog enabled.'\n else sg.name || ' flowlog disabled.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_watcher_flow_log as sg\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n","tags":{},"tables":["azure.azure_network_watcher_flow_log","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":2094,"endLineNumber":2113,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_watcher_flow_log_enabled","org":"turbot","name":"network_watcher_flow_log_enabled","mod":"Azure Compliance","title":"All flow log resources should be in enabled state","description":"Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"All flow log resources should be in enabled state","controlDescription":"Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_public_ip_no_basic_sku":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_public_ip_no_basic_sku","org":"turbot","name":"network_public_ip_no_basic_sku","sql":"select\n i.id as resource,\n case\n when i.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when i.sku_name = 'Basic' then i.title || ' using basic SKU.'\n else i.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , i.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_public_ip as i,\n azure_subscription as sub\nwhere\n sub.subscription_id = i.subscription_id;\n","tags":{},"tables":["azure.azure_public_ip","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":716,"endLineNumber":737,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_public_ip_no_basic_sku","org":"turbot","name":"network_public_ip_no_basic_sku","mod":"Azure Compliance","title":"Network public IPs should use standard SKUs as a minimum","description":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","tags":{"service":"Azure/Network"}}],"controlTitle":"Network public IPs should use standard SKUs as a minimum","controlDescription":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","controlTags":{"service":"Azure/Network"}},"network_security_group_not_configured_gateway_subnets":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","sql":"select\n subnet.id resource,\n case\n when subnet.name = 'GatewaySubnet' and network_security_group_id is not null then 'alarm'\n when subnet.name = 'GatewaySubnet' and network_security_group_id is null then 'ok'\n else 'skip'\n end as status,\n case\n when subnet.name = 'GatewaySubnet' and network_security_group_id is not null then 'Gateway subnet configured with network security group.'\n when subnet.name = 'GatewaySubnet' and network_security_group_id is null then 'Gateway subnet not configured with network security group.'\n else subnet.name || ' not of gateway subnet type.'\n end as reason\n , subnet.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_subnet as subnet\n join azure_subscription as sub on sub.subscription_id = subnet.subscription_id;\n","tags":{},"tables":["azure.azure_subnet","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":536,"endLineNumber":556,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","mod":"Azure Compliance","title":"Gateway subnets should not be configured with a network security group","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Gateway subnets should not be configured with a network security group","controlDescription":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}},"network_virtual_network_gateway_no_basic_sku":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_virtual_network_gateway_no_basic_sku","org":"turbot","name":"network_virtual_network_gateway_no_basic_sku","sql":"select\n g.id as resource,\n case\n when g.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when g.sku_name = 'Basic' then g.title || ' using basic SKU.'\n else g.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , g.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network_gateway as g,\n azure_subscription as sub\nwhere\n sub.subscription_id = g.subscription_id;\n","tags":{},"tables":["azure.azure_subscription","azure.azure_virtual_network_gateway"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":670,"endLineNumber":691,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_virtual_network_gateway_no_basic_sku","org":"turbot","name":"network_virtual_network_gateway_no_basic_sku","mod":"Azure Compliance","title":"Virtual network gateways should use standard SKUs as a minimum","description":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","tags":{"service":"Azure/Network"}}],"controlTitle":"Virtual network gateways should use standard SKUs as a minimum","controlDescription":"The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads.","controlTags":{"service":"Azure/Network"}},"network_network_peering_connected":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_network_peering_connected","org":"turbot","name":"network_network_peering_connected","sql":"with disconnected_network_peering as (\n select\n distinct id as vn_id\n from\n azure_virtual_network as n,\n jsonb_array_elements(network_peerings) as p\n where\n p -> 'properties' ->> 'peeringState' = 'Disconnected'\n)\nselect\n n.id as resource,\n case\n when jsonb_array_length(network_peerings) = 0 then 'ok'\n when p.vn_id is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when jsonb_array_length(network_peerings) = 0 then n.title || ' has no network peering.'\n when p.vn_id is not null then n.title || ' has network peering in disconnected state.'\n else n.title || ' has network peering in connected state.'\n end as reason\n \n , n.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network as n\n left join disconnected_network_peering as p on p.vn_id = n.id\n join azure_subscription sub on sub.subscription_id = n.subscription_id;\n","tags":{},"tables":["azure.azure_subscription","azure.azure_virtual_network"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/network.pp","startLineNumber":953,"endLineNumber":984,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_network_peering_connected","org":"turbot","name":"network_network_peering_connected","mod":"Azure Compliance","title":"Virtual network network peering should be in connected state","description":"This control ensures whether virtual network network peering is in connetecd state. This contol is non-compliant if network peering is not in connected state.","tags":{"service":"Azure/Network"}}],"controlTitle":"Virtual network network peering should be in connected state","controlDescription":"This control ensures whether virtual network network peering is in connetecd state. This contol is non-compliant if network peering is not in connected state.","controlTags":{"service":"Azure/Network"}}},"monitor":{"application_insights_block_log_ingestion_and_querying_from_public":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/application_insights_block_log_ingestion_and_querying_from_public","org":"turbot","name":"application_insights_block_log_ingestion_and_querying_from_public","sql":"select\n a.id as resource,\n case\n when type = 'microsoft.insights/components' and public_network_access_for_ingestion = 'Enabled' and public_network_access_for_query = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when type = 'microsoft.insights/components' and public_network_access_for_ingestion = 'Enabled' and public_network_access_for_query = 'Enabled' then a.name || ' allows log ingestion and querying from public network.'\n else a.name || ' does not allow log ingestion and querying from public network.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_application_insight as a\n left join azure_subscription sub on sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_application_insight","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1283,"endLineNumber":1302,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.application_insights_block_log_ingestion_and_querying_from_public","org":"turbot","name":"application_insights_block_log_ingestion_and_querying_from_public","mod":"Azure Compliance","title":"Application Insights components should block log ingestion and querying from public networks","description":"Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Application Insights components should block log ingestion and querying from public networks","controlDescription":"Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"application_insights_linked_to_log_analytics_workspace":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/application_insights_linked_to_log_analytics_workspace","org":"turbot","name":"application_insights_linked_to_log_analytics_workspace","sql":"select\n a.id as resource,\n case\n when type = 'microsoft.insights/components' and workspace_resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when type = 'microsoft.insights/components' and workspace_resource_id is not null then a.name || ' linked to log analytics workspace.'\n else a.name || ' not linked to log analytics workspace.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_application_insight as a\n left join azure_subscription sub on sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_application_insight","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1262,"endLineNumber":1281,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.application_insights_linked_to_log_analytics_workspace","org":"turbot","name":"application_insights_linked_to_log_analytics_workspace","mod":"Azure Compliance","title":"Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace","description":"Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace","controlDescription":"Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_application_insights_configured":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_application_insights_configured","org":"turbot","name":"monitor_application_insights_configured","sql":"with application_insights as (\n select\n subscription_id,\n count(*) as no_application_insight\n from\n azure_application_insight\n group by\n subscription_id\n)\nselect\n sub.id as resource,\n case\n when i.subscription_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.subscription_id is null then sub.display_name || ' does not have application insights configured.'\n else sub.display_name || ' has ' || no_application_insight || ' application insights configured.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription as sub\n left join application_insights as i on i.subscription_id = sub.subscription_id;\n","tags":{},"tables":["azure.azure_application_insight","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":411,"endLineNumber":438,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_3_1","org":"turbot","name":"cis_v210_5_3_1","mod":"Azure Compliance","title":"5.3.1 Ensure Application Insights are Configured","description":"Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.3.1","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_3_1","org":"turbot","name":"cis_v200_5_3_1","mod":"Azure Compliance","title":"5.3.1 Ensure Application Insights are Configured","description":"Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.3.1","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_3_1","org":"turbot","name":"cis_v300_6_3_1","mod":"Azure Compliance","title":"6.3.1 Ensure Application Insights are Configured","description":"Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.1","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"5.3.1 Ensure Application Insights are Configured","controlDescription":"Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.1","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},"monitor_diagnostic_settings_captures_proper_categories":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_diagnostic_settings_captures_proper_categories","org":"turbot","name":"monitor_diagnostic_settings_captures_proper_categories","sql":"$e1","tags":{},"tables":["azure.azure_diagnostic_setting","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":440,"endLineNumber":486,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_diagnostic_settings_captures_proper_categories","org":"turbot","name":"monitor_diagnostic_settings_captures_proper_categories","mod":"Azure Compliance","title":"Ensure Diagnostic Setting captures appropriate categories","description":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_1_2","org":"turbot","name":"cis_v210_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_1_2","org":"turbot","name":"cis_v200_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_1_2","org":"turbot","name":"cis_v150_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_1_2","org":"turbot","name":"cis_v140_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_1_2","org":"turbot","name":"cis_v130_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_1_2","org":"turbot","name":"cis_v300_6_1_2","mod":"Azure Compliance","title":"6.1.2 Ensure Diagnostic Setting captures appropriate categories","description":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure Diagnostic Setting captures appropriate categories","controlDescription":"A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_security_solution":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_security_solution","org":"turbot","name":"monitor_log_alert_delete_security_solution","sql":"$e2","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":992,"endLineNumber":1042,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_security_solution","org":"turbot","name":"monitor_log_alert_delete_security_solution","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_6","org":"turbot","name":"cis_v210_5_2_6","mod":"Azure Compliance","title":"5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_6","org":"turbot","name":"cis_v200_5_2_6","mod":"Azure Compliance","title":"5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_6","org":"turbot","name":"cis_v150_5_2_6","mod":"Azure Compliance","title":"5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_8","org":"turbot","name":"cis_v140_5_2_8","mod":"Azure Compliance","title":"5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_8","org":"turbot","name":"cis_v130_5_2_8","mod":"Azure Compliance","title":"5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_6","org":"turbot","name":"cis_v300_6_2_6","mod":"Azure Compliance","title":"6.2.6 Ensure that Activity Log Alert exists for Delete Security Solution","description":"Create an activity log alert for the Delete Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.6","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete Security Solution","controlDescription":"Create an activity log alert for the Delete Security Solution event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.6","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_public_ip_address":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_public_ip_address","org":"turbot","name":"monitor_log_alert_delete_public_ip_address","sql":"$e3","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":940,"endLineNumber":990,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_public_ip_address","org":"turbot","name":"monitor_log_alert_delete_public_ip_address","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete Public IP Address rule","description":"Create an activity log alert for the Delete Public IP Address rule.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_10","org":"turbot","name":"cis_v210_5_2_10","mod":"Azure Compliance","title":"5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule","description":"Create an activity log alert for the Delete Public IP Address rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.10","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_10","org":"turbot","name":"cis_v200_5_2_10","mod":"Azure Compliance","title":"5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule","description":"Create an activity log alert for the Delete Public IP Address rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.10","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_10","org":"turbot","name":"cis_v150_5_2_10","mod":"Azure Compliance","title":"5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule","description":"Create an activity log alert for the Delete Public IP Address rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.10","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_10","org":"turbot","name":"cis_v300_6_2_10","mod":"Azure Compliance","title":"6.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule","description":"Create an activity log alert for the Delete Public IP Address rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.10","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete Public IP Address rule","controlDescription":"Create an activity log alert for the Delete Public IP Address rule.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.10","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_policy_assignment":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_policy_assignment","org":"turbot","name":"monitor_log_alert_delete_policy_assignment","sql":"$e4","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":898,"endLineNumber":938,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_policy_assignment","org":"turbot","name":"monitor_log_alert_delete_policy_assignment","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_2","org":"turbot","name":"cis_v210_5_2_2","mod":"Azure Compliance","title":"5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.2","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_2","org":"turbot","name":"cis_v200_5_2_2","mod":"Azure Compliance","title":"5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.2","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_2","org":"turbot","name":"cis_v150_5_2_2","mod":"Azure Compliance","title":"5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.2","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_2","org":"turbot","name":"cis_v140_5_2_2","mod":"Azure Compliance","title":"5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.2","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_2","org":"turbot","name":"cis_v130_5_2_2","mod":"Azure Compliance","title":"5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.2","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_2","org":"turbot","name":"cis_v300_6_2_2","mod":"Azure Compliance","title":"6.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment","description":"Create an activity log alert for the Delete Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.2","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete Policy Assignment","controlDescription":"Create an activity log alert for the Delete Policy Assignment event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.2","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_create_update_public_ip_address":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_update_public_ip_address","org":"turbot","name":"monitor_log_alert_create_update_public_ip_address","sql":"$e5","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":635,"endLineNumber":686,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_update_public_ip_address","org":"turbot","name":"monitor_log_alert_create_update_public_ip_address","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","description":"Create an activity log alert for the Create or Update Public IP Addresses rule.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_9","org":"turbot","name":"cis_v210_5_2_9","mod":"Azure Compliance","title":"5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","description":"Create an activity log alert for the Create or Update Public IP Addresses rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_9","org":"turbot","name":"cis_v200_5_2_9","mod":"Azure Compliance","title":"5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","description":"Create an activity log alert for the Create or Update Public IP Addresses rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_9","org":"turbot","name":"cis_v150_5_2_9","mod":"Azure Compliance","title":"5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","description":"Create an activity log alert for the Create or Update Public IP Addresses rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_9","org":"turbot","name":"cis_v300_6_2_9","mod":"Azure Compliance","title":"6.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","description":"Create an activity log alert for the Create or Update Public IP Addresses rule.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.9","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update Public IP Address rule","controlDescription":"Create an activity log alert for the Create or Update Public IP Addresses rule.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.9","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_nsg":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_nsg","org":"turbot","name":"monitor_log_alert_delete_nsg","sql":"$e6","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":845,"endLineNumber":896,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_nsg","org":"turbot","name":"monitor_log_alert_delete_nsg","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_4","org":"turbot","name":"cis_v210_5_2_4","mod":"Azure Compliance","title":"5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.4","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_4","org":"turbot","name":"cis_v200_5_2_4","mod":"Azure Compliance","title":"5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.4","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_4","org":"turbot","name":"cis_v150_5_2_4","mod":"Azure Compliance","title":"5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.4","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_4","org":"turbot","name":"cis_v140_5_2_4","mod":"Azure Compliance","title":"5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.4","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_4","org":"turbot","name":"cis_v130_5_2_4","mod":"Azure Compliance","title":"5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.4","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_4","org":"turbot","name":"cis_v300_6_2_4","mod":"Azure Compliance","title":"6.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group","description":"Create an activity log alert for the Delete Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete Network Security Group","controlDescription":"Create an activity log alert for the Delete Network Security Group event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_sql_servers_firewall_rule":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_sql_servers_firewall_rule","org":"turbot","name":"monitor_log_alert_delete_sql_servers_firewall_rule","sql":"$e7","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1044,"endLineNumber":1093,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_sql_servers_firewall_rule","org":"turbot","name":"monitor_log_alert_delete_sql_servers_firewall_rule","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","description":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_8","org":"turbot","name":"cis_v210_5_2_8","mod":"Azure Compliance","title":"5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","description":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_8","org":"turbot","name":"cis_v200_5_2_8","mod":"Azure Compliance","title":"5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","description":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_8","org":"turbot","name":"cis_v150_5_2_8","mod":"Azure Compliance","title":"5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","description":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_8","org":"turbot","name":"cis_v300_6_2_8","mod":"Azure Compliance","title":"6.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","description":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule","controlDescription":"Create an activity log alert for the 'Delete SQL Server Firewall Rule.'","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_delete_nsg_rule":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_delete_nsg_rule","org":"turbot","name":"monitor_log_alert_delete_nsg_rule","sql":"$e8","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":793,"endLineNumber":843,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_delete_nsg_rule","org":"turbot","name":"monitor_log_alert_delete_nsg_rule","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Delete Network Security Group Rule","description":"Create an activity log alert for the Delete Network Security Group Rule event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_6","org":"turbot","name":"cis_v130_5_2_6","mod":"Azure Compliance","title":"5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule","description":"Create an activity log alert for the Create or Update Network Security Group Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_6","org":"turbot","name":"cis_v140_5_2_6","mod":"Azure Compliance","title":"5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule","description":"Create an activity log alert for the Delete Network Security Group Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Delete Network Security Group Rule","controlDescription":"Create an activity log alert for the Delete Network Security Group Rule event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure"}},"monitor_log_alert_create_update_security_solution":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_update_security_solution","org":"turbot","name":"monitor_log_alert_create_update_security_solution","sql":"$e9","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":688,"endLineNumber":738,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_update_security_solution","org":"turbot","name":"monitor_log_alert_create_update_security_solution","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_5","org":"turbot","name":"cis_v210_5_2_5","mod":"Azure Compliance","title":"5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_5","org":"turbot","name":"cis_v200_5_2_5","mod":"Azure Compliance","title":"5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_5","org":"turbot","name":"cis_v150_5_2_5","mod":"Azure Compliance","title":"5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_7","org":"turbot","name":"cis_v140_5_2_7","mod":"Azure Compliance","title":"5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_7","org":"turbot","name":"cis_v130_5_2_7","mod":"Azure Compliance","title":"5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_5","org":"turbot","name":"cis_v300_6_2_5","mod":"Azure Compliance","title":"6.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution","description":"Create an activity log alert for the Create or Update Security Solution event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.5","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update Security Solution","controlDescription":"Create an activity log alert for the Create or Update Security Solution event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.5","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_sql_firewall_rule":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_sql_firewall_rule","org":"turbot","name":"monitor_log_alert_sql_firewall_rule","sql":"$ea","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1095,"endLineNumber":1136,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_sql_firewall_rule","org":"turbot","name":"monitor_log_alert_sql_firewall_rule","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_9","org":"turbot","name":"cis_v140_5_2_9","mod":"Azure Compliance","title":"5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_9","org":"turbot","name":"cis_v130_5_2_9","mod":"Azure Compliance","title":"5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule","controlDescription":"Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.2.9","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"monitor_log_alert_for_administrative_operations":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_for_administrative_operations","org":"turbot","name":"monitor_log_alert_for_administrative_operations","sql":"$eb","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":307,"endLineNumber":358,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_for_administrative_operations","org":"turbot","name":"monitor_log_alert_for_administrative_operations","mod":"Azure Compliance","title":"An activity log alert should exist for specific Administrative operations","description":"This policy audits specific Administrative operations with no activity log alerts configured.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Monitor"}}],"controlTitle":"An activity log alert should exist for specific Administrative operations","controlDescription":"This policy audits specific Administrative operations with no activity log alerts configured.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Monitor"}},"monitor_log_alert_create_update_sql_servers_firewall_rule":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_update_sql_servers_firewall_rule","org":"turbot","name":"monitor_log_alert_create_update_sql_servers_firewall_rule","sql":"$ec","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":740,"endLineNumber":791,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_update_sql_servers_firewall_rule","org":"turbot","name":"monitor_log_alert_create_update_sql_servers_firewall_rule","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_7","org":"turbot","name":"cis_v210_5_2_7","mod":"Azure Compliance","title":"5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_7","org":"turbot","name":"cis_v200_5_2_7","mod":"Azure Compliance","title":"5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_7","org":"turbot","name":"cis_v150_5_2_7","mod":"Azure Compliance","title":"5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_7","org":"turbot","name":"cis_v300_6_2_7","mod":"Azure Compliance","title":"6.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","description":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.7","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule","controlDescription":"Create an activity log alert for the Create or Update SQL Server Firewall Rule event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.7","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_create_update_nsg":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_update_nsg","org":"turbot","name":"monitor_log_alert_create_update_nsg","sql":"$ed","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":583,"endLineNumber":633,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_update_nsg","org":"turbot","name":"monitor_log_alert_create_update_nsg","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the Create or Update Network Security Group event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_3","org":"turbot","name":"cis_v210_5_2_3","mod":"Azure Compliance","title":"5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the Create or Update Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.3","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_3","org":"turbot","name":"cis_v200_5_2_3","mod":"Azure Compliance","title":"5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the Create or Update Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.3","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_3","org":"turbot","name":"cis_v150_5_2_3","mod":"Azure Compliance","title":"5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the Create or Update Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.3","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_3","org":"turbot","name":"cis_v140_5_2_3","mod":"Azure Compliance","title":"5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the \"Create\" or \"Update Network Security Group\" event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.3","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_3","org":"turbot","name":"cis_v130_5_2_3","mod":"Azure Compliance","title":"5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the \"Create\" or \"Update Network Security Group\" event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.3","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_3","org":"turbot","name":"cis_v300_6_2_3","mod":"Azure Compliance","title":"6.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group","description":"Create an Activity Log Alert for the Create or Update Network Security Group event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update Network Security Group","controlDescription":"Create an Activity Log Alert for the Create or Update Network Security Group event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"monitor_log_alert_create_update_nsg_rule":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_update_nsg_rule","org":"turbot","name":"monitor_log_alert_create_update_nsg_rule","sql":"$ee","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":531,"endLineNumber":581,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_update_nsg_rule","org":"turbot","name":"monitor_log_alert_create_update_nsg_rule","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule","description":"Create an activity log alert for the Create or Update Network Security Group Rule event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_5","org":"turbot","name":"cis_v140_5_2_5","mod":"Azure Compliance","title":"5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule","description":"Create an activity log alert for the Create or Update Network Security Group Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_5","org":"turbot","name":"cis_v130_5_2_5","mod":"Azure Compliance","title":"5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule","description":"Create an activity log alert for the Create or Update Network Security Group Rule event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule","controlDescription":"Create an activity log alert for the Create or Update Network Security Group Rule event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.2.5","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"monitor_log_alert_create_policy_assignment":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_alert_create_policy_assignment","org":"turbot","name":"monitor_log_alert_create_policy_assignment","sql":"$ef","tags":{},"tables":["azure.azure_log_alert","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":488,"endLineNumber":529,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_alert_create_policy_assignment","org":"turbot","name":"monitor_log_alert_create_policy_assignment","mod":"Azure Compliance","title":"Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_2_1","org":"turbot","name":"cis_v210_5_2_1","mod":"Azure Compliance","title":"5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.1","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_2_1","org":"turbot","name":"cis_v200_5_2_1","mod":"Azure Compliance","title":"5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.1","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_2_1","org":"turbot","name":"cis_v150_5_2_1","mod":"Azure Compliance","title":"5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.1","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_2_1","org":"turbot","name":"cis_v140_5_2_1","mod":"Azure Compliance","title":"5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.1","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_2_1","org":"turbot","name":"cis_v130_5_2_1","mod":"Azure Compliance","title":"5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.1","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_2_1","org":"turbot","name":"cis_v300_6_2_1","mod":"Azure Compliance","title":"6.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment","description":"Create an activity log alert for the Create Policy Assignment event.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.1","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure that Activity Log Alert exists for Create Policy Assignment","controlDescription":"Create an activity log alert for the Create Policy Assignment event.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"6.2.1","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure"}},"log_analytics_workspace_block_non_azure_ingestion":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/log_analytics_workspace_block_non_azure_ingestion","org":"turbot","name":"log_analytics_workspace_block_non_azure_ingestion","sql":"select\n w.id as resource,\n case\n when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then 'alarm'\n else 'ok'\n end as status,\n case\n when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then w.name || ' workspace allows non-Azure log ingestion.'\n else w.name || ' workspace does not allow non-Azure log ingestion.'\n end as reason\n \n , w.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_analytics_workspace as w\n left join azure_subscription sub on sub.subscription_id = w.subscription_id;\n","tags":{},"tables":["azure.azure_log_analytics_workspace","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1325,"endLineNumber":1344,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.log_analytics_workspace_block_non_azure_ingestion","org":"turbot","name":"log_analytics_workspace_block_non_azure_ingestion","mod":"Azure Compliance","title":"Log Analytics Workspaces should block non-Azure Active Directory based ingestion","description":"Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Log Analytics Workspaces should block non-Azure Active Directory based ingestion","controlDescription":"Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"log_analytics_workspace_block_log_ingestion_and_querying_from_public":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/log_analytics_workspace_block_log_ingestion_and_querying_from_public","org":"turbot","name":"log_analytics_workspace_block_log_ingestion_and_querying_from_public","sql":"select\n w.id as resource,\n case\n when type = 'Microsoft.OperationalInsights/workspaces' and public_network_access_for_ingestion = 'Enabled' and public_network_access_for_query = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when type = 'Microsoft.OperationalInsights/workspaces' and public_network_access_for_ingestion = 'Enabled' and public_network_access_for_query = 'Enabled' then w.name || ' workspace allows log ingestion and querying from public network.'\n else w.name || ' workspace does not allow log ingestion and querying from public network.'\n end as reason\n \n , w.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_analytics_workspace as w\n left join azure_subscription sub on sub.subscription_id = w.subscription_id;\n","tags":{},"tables":["azure.azure_log_analytics_workspace","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1304,"endLineNumber":1323,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.log_analytics_workspace_block_log_ingestion_and_querying_from_public","org":"turbot","name":"log_analytics_workspace_block_log_ingestion_and_querying_from_public","mod":"Azure Compliance","title":"Log Analytics workspaces should block log ingestion and querying from public networks","description":"Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Log Analytics workspaces should block log ingestion and querying from public networks","controlDescription":"Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_log_profile_retention_365_days":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","sql":"select\n p.id as resource,\n case\n when p.retention_policy ->> 'enabled' = 'false' then 'alarm'\n when p.retention_policy ->> 'enabled' = 'true' and (p.retention_policy ->> 'days')::int >= 365 then 'ok'\n else 'alarm'\n end as status,\n case\n when p.retention_policy ->> 'enabled' = 'false' then p.name || ' retention policy disabled.'\n else p.name || ' retention is set to ' || (p.retention_policy ->> 'days') || ' day(s).'\n end as reason\n \n , p.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_profile as p\n left join azure_subscription sub on sub.subscription_id = p.subscription_id;\n","tags":{},"tables":["azure.azure_log_profile","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1240,"endLineNumber":1260,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","mod":"Azure Compliance","title":"Monitor log profiles should have retention set to 365 days or greater","description":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Monitor log profiles should have retention set to 365 days or greater","controlDescription":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_log_profile_enabled_for_all_categories":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","sql":"select\n p.id as resource,\n case\n when p.categories @> '[\"Write\", \"Action\", \"Delete\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.categories @> '[\"Write\", \"Action\", \"Delete\"]' then p.name || ' collects logs for categories write, delete and action'\n else p.name || ' does not collects logs for all categories.'\n end as reason\n \n , p.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_profile as p\n left join azure_subscription sub on sub.subscription_id = p.subscription_id;\n","tags":{},"tables":["azure.azure_log_profile","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":286,"endLineNumber":305,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","mod":"Azure Compliance","title":"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'","description":"This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.","tags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'","controlDescription":"This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.","controlTags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"log_profile_enabled_for_all_subscription":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/log_profile_enabled_for_all_subscription","org":"turbot","name":"log_profile_enabled_for_all_subscription","sql":"with log_profiles as (\n select\n subscription_id\n from\n azure_log_profile\n group by\n subscription_id\n)\nselect\n sub.id as resource,\n case\n when i.subscription_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.subscription_id is null then sub.display_name || ' does not collect activity logs.'\n else sub.display_name || ' collects activity logs.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription as sub\n left join log_profiles as i on i.subscription_id = sub.subscription_id;\n","tags":{},"tables":["azure.azure_log_profile","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":383,"endLineNumber":409,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.log_profile_enabled_for_all_subscription","org":"turbot","name":"log_profile_enabled_for_all_subscription","mod":"Azure Compliance","title":"Azure subscriptions should have a log profile for Activity Log","description":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure subscriptions should have a log profile for Activity Log","controlDescription":"This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_log_profile_enabled_for_all_regions":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","sql":"$f0","tags":{},"tables":["azure.azure_log_profile","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":360,"endLineNumber":381,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","mod":"Azure Compliance","title":"Azure Monitor should collect activity logs from all regions","description":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","tags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor should collect activity logs from all regions","controlDescription":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","controlTags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok","org":"turbot","name":"monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok","sql":"select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_storage_container","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1138,"endLineNumber":1163,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok","org":"turbot","name":"monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok","mod":"Azure Compliance","title":"Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_1_4","org":"turbot","name":"cis_v150_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_1_4","org":"turbot","name":"cis_v140_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)","description":"The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_1_4","org":"turbot","name":"cis_v130_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)","description":"The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","controlDescription":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok","org":"turbot","name":"monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok","sql":"select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-activity-logs encrypted with BYOK.'\n else a.name || ' container insights-activity-logs not encrypted with BYOK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-activity-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_storage_container","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1165,"endLineNumber":1190,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_1_3","org":"turbot","name":"cis_v210_5_1_3","mod":"Azure Compliance","title":"5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_1_4","org":"turbot","name":"cis_v200_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_1_3","org":"turbot","name":"cis_v300_6_1_3","mod":"Azure Compliance","title":"6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.3","cis_level":"2","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok","org":"turbot","name":"monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok","mod":"Azure Compliance","title":"Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","description":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key","controlDescription":"Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.3","cis_level":"2","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Monitor","rbi_itf_nbfc_v2017":"true"}},"monitor_logs_storage_container_insights_operational_logs_not_public_accessible":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_logs_storage_container_insights_operational_logs_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_insights_operational_logs_not_public_accessible","sql":"select\n sc.id as resource,\n case\n when public_access != 'None' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_access != 'None'\n then account_name || ' container insights-operational-logs storing activity logs publicly accessible.'\n else account_name || ' container insights-operational-logs storing activity logs not publicly accessible.'\n end as reason\n , sc.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container sc,\n azure_subscription sub\nwhere\n name = 'insights-operational-logs'\n and sub.subscription_id = sc.subscription_id;\n","tags":{},"tables":["azure.azure_storage_container","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1192,"endLineNumber":1214,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_logs_storage_container_insights_operational_logs_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_insights_operational_logs_not_public_accessible","mod":"Azure Compliance","title":"Ensure the storage container storing the operational logs is not publicly accessible","description":"The storage account container containing the operational log export should not be publicly accessible.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_1_3","org":"turbot","name":"cis_v150_5_1_3","mod":"Azure Compliance","title":"5.1.3 Ensure the storage container storing the activity logs is not publicly accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_1_3","org":"turbot","name":"cis_v140_5_1_3","mod":"Azure Compliance","title":"5.1.3 Ensure the storage container storing the activity logs is not publicly accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_1_3","org":"turbot","name":"cis_v130_5_1_3","mod":"Azure Compliance","title":"5.1.3 Ensure the storage container storing the activity logs is not publicly accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure the storage container storing the operational logs is not publicly accessible","controlDescription":"The storage account container containing the operational log export should not be publicly accessible.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"monitor_logs_storage_container_insights_activity_logs_not_public_accessible":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/monitor_logs_storage_container_insights_activity_logs_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_insights_activity_logs_not_public_accessible","sql":"select\n sc.id as resource,\n case\n when public_access != 'None' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_access != 'None'\n then account_name || ' container insights-activity-logs storing activity logs publicly accessible.'\n else account_name || ' container insights-activity-logs storing activity logs not publicly accessible.'\n end as reason\n , sc.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container sc,\n azure_subscription sub\nwhere\n name = 'insights-activity-logs'\n and sub.subscription_id = sc.subscription_id;\n","tags":{},"tables":["azure.azure_storage_container","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/monitor.pp","startLineNumber":1216,"endLineNumber":1238,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_logs_storage_container_insights_activity_logs_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_insights_activity_logs_not_public_accessible","mod":"Azure Compliance","title":"Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_1_3","org":"turbot","name":"cis_v200_5_1_3","mod":"Azure Compliance","title":"5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Monitor"}}],"controlTitle":"Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible","controlDescription":"The storage account container containing the activity log export should not be publicly accessible.","controlTags":{"service":"Azure/Monitor","category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure"}}},"automation":{"automation_account_variable_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/automation_account_variable_encryption_enabled","org":"turbot","name":"automation_account_variable_encryption_enabled","sql":"select\n a.id as resource,\n case\n when is_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when is_encrypted then a.title || ' encryption enabled.'\n else a.title || ' encryption disabled.'\n end as reason\n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_automation_variable as a,\n azure_subscription as sub;\n","tags":{},"tables":["azure.azure_automation_variable","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/automation.pp","startLineNumber":30,"endLineNumber":48,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.automation_account_variable_encryption_enabled","org":"turbot","name":"automation_account_variable_encryption_enabled","mod":"Azure Compliance","title":"Automation account variables should be encrypted","description":"It is important to enable encryption of Automation account variable assets when storing sensitive data","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Automation"}}],"controlTitle":"Automation account variables should be encrypted","controlDescription":"It is important to enable encryption of Automation account variable assets when storing sensitive data","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Automation"}}},"batch":{"batch_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","sql":"select\n batch.id as resource,\n case\n when encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption ->> 'keySource' = 'Microsoft.KeyVault' then batch.name || ' encrypted with CMK.'\n else batch.name || ' not encrypted with CMK.'\n end as reason\n \n , batch.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_batch_account as batch,\n azure_subscription as sub\nwhere\n sub.subscription_id = batch.subscription_id;\n","tags":{},"tables":["azure.azure_batch_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/batch.pp","startLineNumber":91,"endLineNumber":112,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","mod":"Azure Compliance","title":"Azure Batch account should use customer-managed keys to encrypt data","description":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}],"controlTitle":"Azure Batch account should use customer-managed keys to encrypt data","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}},"batch_account_identity_provider_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/batch_account_identity_provider_enabled","org":"turbot","name":"batch_account_identity_provider_enabled","sql":"select\n b.id as resource,\n case\n when identity ->> 'type' = 'None' then 'alarm'\n else 'ok'\n end as status,\n case\n when identity ->> 'type' = 'None' then b.name || ' identity provider disabled.'\n else b.name || ' identity provider enabled.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_batch_account as b,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n","tags":{},"tables":["azure.azure_batch_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/batch.pp","startLineNumber":114,"endLineNumber":135,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.batch_account_identity_provider_enabled","org":"turbot","name":"batch_account_identity_provider_enabled","mod":"Azure Compliance","title":"Batch accounts identity provider should be enabled","description":"Ensure that managed identity provider is enabled for the batch account. This control is non-compliant if batch account identity provider is disabled.","tags":{"service":"Azure/Batch"}}],"controlTitle":"Batch accounts identity provider should be enabled","controlDescription":"Ensure that managed identity provider is enabled for the batch account. This control is non-compliant if batch account identity provider is disabled.","controlTags":{"service":"Azure/Batch"}},"batch_account_logging_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","sql":"$f1","tags":{},"tables":["azure.azure_batch_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/batch.pp","startLineNumber":40,"endLineNumber":89,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Batch accounts should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}],"controlTitle":"Resource logs in Batch accounts should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}},"cognitive_services":{"cognitive_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","sql":"with cognitive_account_cmk as (\n select\n distinct a.id\n from\n azure_cognitive_account as a,\n jsonb_array_elements(capabilities ) as c\n where\n c ->> 'name' = 'CustomerManagedKey'\n)\nselect\n s.id as resource,\n case\n when c.id is null then 'ok'\n when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok'\n else 'alarm'\n end as status,\n case\n when c.id is null then name || ' encryption not supported.'\n when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then name || ' encrypted with CMK.'\n else name || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as s\n left join cognitive_account_cmk as c on c.id = s.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n","tags":{},"tables":["azure.azure_cognitive_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/cognitiveservice.pp","startLineNumber":184,"endLineNumber":217,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","mod":"Azure Compliance","title":"Cognitive Services accounts should enable data encryption with a customer-managed key","description":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should enable data encryption with a customer-managed key","controlDescription":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_service_local_auth_disabled":"$f2","cognitive_account_private_link_used":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/cognitive_account_private_link_used","org":"turbot","name":"cognitive_account_private_link_used","sql":"$fb","tags":{},"tables":["azure.azure_cognitive_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/cognitiveservice.pp","startLineNumber":83,"endLineNumber":126,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_private_link_used","org":"turbot","name":"cognitive_account_private_link_used","mod":"Azure Compliance","title":"Cognitive Services should use private link","description":"Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services should use private link","controlDescription":"Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_account_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","sql":"select\n s.id as resource,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n","tags":{},"tables":["azure.azure_cognitive_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/cognitiveservice.pp","startLineNumber":128,"endLineNumber":149,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","mod":"Azure Compliance","title":"Cognitive Services accounts should disable public network access","description":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_account_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","sql":"with account_with_public_access_restricted as (\n select\n a.id\n from\n azure_cognitive_account as a,\n jsonb_array_elements(capabilities) as c\n where\n c ->> 'name' = 'VirtualNetworks' and network_acls ->> 'defaultAction' <> 'Deny'\n)\nselect\n distinct a.name as resource,\n case\n when b.id is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is not null then a.name || ' publicly accessible.'\n else a.name || ' publicly not accessible.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as a\n left join account_with_public_access_restricted as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_cognitive_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/cognitiveservice.pp","startLineNumber":151,"endLineNumber":182,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","mod":"Azure Compliance","title":"Cognitive Services accounts should restrict network access","description":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should restrict network access","controlDescription":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}},"compute":{"compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed","org":"turbot","name":"compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed","sql":"select\n disk.id as resource,\n case\n when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then disk.name || ' encrypted with both platform-managed and customer-managed keys.'\n else disk.name || ' not encrypted with both platform-managed and customer-managed keys.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state = 'Attached'\n and sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":930,"endLineNumber":952,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed","org":"turbot","name":"compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed","mod":"Azure Compliance","title":"Managed disks should be double encrypted with both platform-managed and customer-managed keys","description":"High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Managed disks should be double encrypted with both platform-managed and customer-managed keys","controlDescription":"High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_unattached_disk_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_unattached_disk_encrypted_with_cmk","org":"turbot","name":"compute_unattached_disk_encrypted_with_cmk","sql":"select\n disk.id as resource,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.'\n else disk.name || ' not encrypted with CMK.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state != 'Attached'\n and sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":993,"endLineNumber":1015,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_7_3","org":"turbot","name":"cis_v150_7_3","mod":"Azure Compliance","title":"7.3 Ensure that 'Unattached disks' are encrypted with CMK","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_7_3","org":"turbot","name":"cis_v140_7_3","mod":"Azure Compliance","title":"7.3 Ensure that 'Unattached disks' are encrypted with CMK","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_7_3","org":"turbot","name":"cis_v130_7_3","mod":"Azure Compliance","title":"7.3 Ensure that 'Unattached disks' are encrypted with CMK","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_7_4","org":"turbot","name":"cis_v210_7_4","mod":"Azure Compliance","title":"7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.4","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_7_4","org":"turbot","name":"cis_v200_7_4","mod":"Azure Compliance","title":"7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.4","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_4","org":"turbot","name":"cis_v300_8_4","mod":"Azure Compliance","title":"8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.4","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_unattached_disk_encrypted_with_cmk","org":"turbot","name":"compute_unattached_disk_encrypted_with_cmk","mod":"Azure Compliance","title":"Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)","description":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","tags":{"service":"Azure/Compute"}}],"controlTitle":"Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)","controlDescription":"Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.4","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},"compute_disk_unattached_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_disk_unattached_encrypted_with_cmk","org":"turbot","name":"compute_disk_unattached_encrypted_with_cmk","sql":"select\n disk.id as resource,\n case\n when managed_by is not null\n or managed_by != ''\n or encryption_type = 'EncryptionAtRestWithCustomerKey'\n or encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys'\n then 'ok'\n else 'alarm'\n end as status,\n case\n when managed_by is not null\n or managed_by != ''\n or encryption_type = 'EncryptionAtRestWithCustomerKey'\n or encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys'\n then disk.name || ' attached and encrypted with ADE/CMK.'\n else disk.name || ' unattached and encrypted with default encryption key.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state != 'Attached'\n and sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2693,"endLineNumber":2723,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_disk_unattached_encrypted_with_cmk","org":"turbot","name":"compute_disk_unattached_encrypted_with_cmk","mod":"Azure Compliance","title":"Unattached Compute disks should be encrypted with ADE/CMK","description":"This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Unattached Compute disks should be encrypted with ADE/CMK","controlDescription":"This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.","controlTags":{"service":"Azure/Compute"}},"compute_os_and_data_disk_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_os_and_data_disk_encrypted_with_cmk","org":"turbot","name":"compute_os_and_data_disk_encrypted_with_cmk","sql":"select\n disk.id as resource,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.'\n else disk.name || ' not encrypted with CMK.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state = 'Attached'\n and sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":906,"endLineNumber":928,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_7_2","org":"turbot","name":"cis_v150_7_2","mod":"Azure Compliance","title":"7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_7_2","org":"turbot","name":"cis_v140_7_2","mod":"Azure Compliance","title":"7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_7_2","org":"turbot","name":"cis_v130_7_2","mod":"Azure Compliance","title":"7.2 Ensure that 'OS and Data' disks are encrypted with CMK","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_7_3","org":"turbot","name":"cis_v210_7_3","mod":"Azure Compliance","title":"7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_7_3","org":"turbot","name":"cis_v200_7_3","mod":"Azure Compliance","title":"7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_3","org":"turbot","name":"cis_v300_8_3","mod":"Azure Compliance","title":"8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)","description":"Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE).","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.3","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_os_and_data_disk_encrypted_with_cmk","org":"turbot","name":"compute_os_and_data_disk_encrypted_with_cmk","mod":"Azure Compliance","title":"OS and data disks should be encrypted with a customer-managed key","description":"Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"OS and data disks should be encrypted with a customer-managed key","controlDescription":"Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.3","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"compute_disk_data_access_auth_mode_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_disk_data_access_auth_mode_enabled","org":"turbot","name":"compute_disk_data_access_auth_mode_enabled","sql":"select\n disk.id as resource,\n case\n when data_access_auth_mode = 'AzureActiveDirectory' then 'ok'\n else 'alarm'\n end as status,\n case\n when data_access_auth_mode = 'AzureActiveDirectory' then disk.name || ' data authentication mode enabled.'\n else disk.name || ' data authentication mode disabled.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2819,"endLineNumber":2840,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_6","org":"turbot","name":"cis_v300_8_6","mod":"Azure Compliance","title":"8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked'","description":"Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.6","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_disk_data_access_auth_mode_enabled","org":"turbot","name":"compute_disk_data_access_auth_mode_enabled","mod":"Azure Compliance","title":"Ensure that 'Enable Data Access Authentication Mode' is 'Checked'","description":"Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Ensure that 'Enable Data Access Authentication Mode' is 'Checked'","controlDescription":"Data Access Authentication Mode provides a method of uploading or exporting Virtual Machine Disks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.6","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},"compute_disk_public_access_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_disk_public_access_disabled","org":"turbot","name":"compute_disk_public_access_disabled","sql":"select\n disk.id as resource,\n case\n when network_access_policy in ('DenyAll','AllowPrivate') and public_network_access = 'Disabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_access_policy in ('DenyAll','AllowPrivate') and public_network_access = 'Disabled' then disk.name || ' network access disabled.'\n else disk.name || ' network access enabled.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n sub.subscription_id = disk.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2796,"endLineNumber":2817,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_5","org":"turbot","name":"cis_v300_8_5","mod":"Azure Compliance","title":"8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'","description":"Virtual Machine Disks and snapshots can be configured to allow access from different network resources.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.5","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_disk_public_access_disabled","org":"turbot","name":"compute_disk_public_access_disabled","mod":"Azure Compliance","title":"Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'","description":"Virtual Machine Disks and snapshots can be configured to allow access from different network resources.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'","controlDescription":"Virtual Machine Disks and snapshots can be configured to allow access from different network resources.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.5","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},"compute_disk_access_uses_private_link":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_disk_access_uses_private_link","org":"turbot","name":"compute_disk_access_uses_private_link","sql":"with compute_disk_connection as (\n select\n distinct a.id\n from\n azure_compute_disk_access as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved'\n)\nselect\n b.id as resource,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then b.name || ' not uses private link.'\n else b.name || ' uses private link.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk_access as b\n left join compute_disk_connection as c on b.id = c.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n","tags":{},"tables":["azure.azure_compute_disk_access","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2141,"endLineNumber":2172,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_disk_access_uses_private_link","org":"turbot","name":"compute_disk_access_uses_private_link","mod":"Azure Compliance","title":"Disk access resources should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Disk access resources should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_secure_communication_protocols_configured":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_secure_communication_protocols_configured","org":"turbot","name":"compute_vm_secure_communication_protocols_configured","sql":"$fc","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2323,"endLineNumber":2363,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_secure_communication_protocols_configured","org":"turbot","name":"compute_vm_secure_communication_protocols_configured","mod":"Azure Compliance","title":"Windows web servers should be configured to use secure communication protocols","description":"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Windows web servers should be configured to use secure communication protocols","controlDescription":"To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_min_password_age_1_day_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_min_password_age_1_day_windows","org":"turbot","name":"compute_vm_min_password_age_1_day_windows","sql":"with vm_min_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordAge'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' minimum password age is 1 day.'\n else a.title || ' minimum password age is not 1 day.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_min_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2033,"endLineNumber":2067,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_min_password_age_1_day_windows","org":"turbot","name":"compute_vm_min_password_age_1_day_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not have a minimum password age of 1 day","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that do not have a minimum password age of 1 day","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_restrict_remote_connection_from_accounts_without_password_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_restrict_remote_connection_from_accounts_without_password_linux","org":"turbot","name":"compute_vm_restrict_remote_connection_from_accounts_without_password_linux","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'PasswordPolicy_msid110'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.id as resource,\n case\n when a.os_type <> 'Linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' restrict remote connections from accounts without passwords.'\n else a.name || ' allows remote connections from accounts without passwords.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":954,"endLineNumber":991,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_restrict_remote_connection_from_accounts_without_password_linux","org":"turbot","name":"compute_vm_restrict_remote_connection_from_accounts_without_password_linux","mod":"Azure Compliance","title":"Audit Linux machines that allow remote connections from accounts without passwords","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Linux machines that allow remote connections from accounts without passwords","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_max_password_age_70_days_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_max_password_age_70_days_windows","org":"turbot","name":"compute_vm_max_password_age_70_days_windows","sql":"with vm_maximum_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MaximumPasswordAge'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' maximum password age is 70 days.'\n else a.title || ' maximum password age is not 70 days.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_maximum_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1997,"endLineNumber":2031,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_max_password_age_70_days_windows","org":"turbot","name":"compute_vm_max_password_age_70_days_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not have a maximum password age of 70 days","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days.","tags":{"nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that do not have a maximum password age of 70 days","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days.","controlTags":{"nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","sql":"$fd","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1923,"endLineNumber":1959,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","mod":"Azure Compliance","title":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","description":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","controlDescription":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_with_system_assigned_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_with_system_assigned_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_system_assigned_managed_identity","sql":"$fe","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2248,"endLineNumber":2282,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_with_system_assigned_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_system_assigned_managed_identity","mod":"Azure Compliance","title":"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity","description":"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity","controlDescription":"The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_meet_security_baseline_requirements_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_meet_security_baseline_requirements_linux","org":"turbot","name":"compute_vm_meet_security_baseline_requirements_linux","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'AzureLinuxBaseline'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' meet requirements for azure compute security baseline.'\n else a.name || ' does not meet requirements for azure compute security baseline.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2411,"endLineNumber":2448,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_security_baseline_requirements_linux","org":"turbot","name":"compute_vm_meet_security_baseline_requirements_linux","mod":"Azure Compliance","title":"Linux machines should meet requirements for the Azure compute security baseline","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Linux machines should meet requirements for the Azure compute security baseline","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_system_updates_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","sql":"select\n vm.vm_id as resource,\n case\n when enable_automatic_updates then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_automatic_updates then vm.title || ' automatic system updates enabled.'\n else vm.title || ' automatic system updates disabled.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1597,"endLineNumber":1618,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","mod":"Azure Compliance","title":"System updates should be installed on your machines","description":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"System updates should be installed on your machines","controlDescription":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_windows_defender_exploit_guard_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_windows_defender_exploit_guard_enabled","org":"turbot","name":"compute_vm_windows_defender_exploit_guard_enabled","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'WindowsDefenderExploitGuard'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' windows defender exploit guard enabled.'\n else a.name || ' windows defender exploit guard disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2284,"endLineNumber":2321,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_windows_defender_exploit_guard_enabled","org":"turbot","name":"compute_vm_windows_defender_exploit_guard_enabled","mod":"Azure Compliance","title":"Windows Defender Exploit Guard should be enabled on your machines","description":"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Windows Defender Exploit Guard should be enabled on your machines","controlDescription":"Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_account_with_password_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_account_with_password_linux","org":"turbot","name":"compute_vm_account_with_password_linux","sql":"with vm_ssh_key_auth as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'PasswordPolicy_msid232'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have accounts with passwords.'\n else a.title || ' does not have have accounts with passwords.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_ssh_key_auth as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1740,"endLineNumber":1774,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_account_with_password_linux","org":"turbot","name":"compute_vm_account_with_password_linux","mod":"Azure Compliance","title":"Audit Linux machines that have accounts without passwords","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that have accounts without passwords.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Linux machines that have accounts without passwords","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that have accounts without passwords.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_meet_security_baseline_requirements_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_meet_security_baseline_requirements_windows","org":"turbot","name":"compute_vm_meet_security_baseline_requirements_windows","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'AzureWindowsBaseline'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' meet requirements for azure compute security baseline.'\n else a.name || ' does not meet requirements for azure compute security baseline.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2450,"endLineNumber":2487,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_security_baseline_requirements_windows","org":"turbot","name":"compute_vm_meet_security_baseline_requirements_windows","mod":"Azure Compliance","title":"Windows machines should meet requirements of the Azure compute security baseline","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Windows machines should meet requirements of the Azure compute security baseline","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_data_and_os_disk_uses_managed_disk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_data_and_os_disk_uses_managed_disk","org":"turbot","name":"compute_vm_data_and_os_disk_uses_managed_disk","sql":"$ff","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2603,"endLineNumber":2641,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_data_and_os_disk_uses_managed_disk","org":"turbot","name":"compute_vm_data_and_os_disk_uses_managed_disk","mod":"Azure Compliance","title":"Compute virtual machines should use managed disk for OS and data disk","description":"This control checks whether virtual machines use managed disks for OS and data disks.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Compute virtual machines should use managed disk for OS and data disk","controlDescription":"This control checks whether virtual machines use managed disks for OS and data disks.","controlTags":{"service":"Azure/Compute"}},"compute_vm_disaster_recovery_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_disaster_recovery_enabled","org":"turbot","name":"compute_vm_disaster_recovery_enabled","sql":"with vm_dr_enabled as (\n select\n substr(source_id, 0, length(source_id)) as source_id\n from\n azure_resource_link as l\n left join azure_compute_virtual_machine as vm on lower(substr(source_id, 0, length(source_id)))= lower(vm.id)\n where\n l.name like 'ASR-Protect-%'\n)\nselect\n vm.vm_id as resource,\n case\n when l.source_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when l.source_id is null then vm.title || ' disaster recovery disabled.'\n else vm.title || ' disaster recovery enabled.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm\n left join vm_dr_enabled as l on lower(vm.id) = lower(l.source_id),\n azure_subscription sub\nwhere\n sub.subscription_id = vm.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_resource_link","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1393,"endLineNumber":1424,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_disaster_recovery_enabled","org":"turbot","name":"compute_vm_disaster_recovery_enabled","mod":"Azure Compliance","title":"Audit virtual machines without disaster recovery configured","description":"Audit virtual machines which do not have disaster recovery configured.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Audit virtual machines without disaster recovery configured","controlDescription":"Audit virtual machines which do not have disaster recovery configured.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_vulnerability_assessment_solution_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_vulnerability_assessment_solution_enabled","org":"turbot","name":"compute_vm_vulnerability_assessment_solution_enabled","sql":"$100","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1620,"endLineNumber":1664,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_vulnerability_assessment_solution_enabled","org":"turbot","name":"compute_vm_vulnerability_assessment_solution_enabled","mod":"Azure Compliance","title":"A vulnerability assessment solution should be enabled on your virtual machines","description":"Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"A vulnerability assessment solution should be enabled on your virtual machines","controlDescription":"Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_ssh_key_authentication_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_ssh_key_authentication_linux","org":"turbot","name":"compute_vm_ssh_key_authentication_linux","sql":"with vm_ssh_key_auth as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'LinuxNoPasswordForSSH'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have SSH keys authentication.'\n else a.title || ' does not have SSH keys authentication.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_ssh_key_auth as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1776,"endLineNumber":1810,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_ssh_key_authentication_linux","org":"turbot","name":"compute_vm_ssh_key_authentication_linux","mod":"Azure Compliance","title":"Authentication to Linux machines should require SSH keys","description":"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Authentication to Linux machines should require SSH keys","controlDescription":"Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_restrict_previous_24_passwords_resuse_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_restrict_previous_24_passwords_resuse_windows","org":"turbot","name":"compute_vm_restrict_previous_24_passwords_resuse_windows","sql":"with vm_enforce_password_history as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'EnforcePasswordHistory'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' enforce password history.'\n else a.title || ' doest not enforce password history.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_enforce_password_history as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1961,"endLineNumber":1995,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_restrict_previous_24_passwords_resuse_windows","org":"turbot","name":"compute_vm_restrict_previous_24_passwords_resuse_windows","mod":"Azure Compliance","title":"Audit Windows machines that allow re-use of the previous 24 passwords","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that allow re-use of the previous 24 passwords","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_password_complexity_setting_enabled_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_password_complexity_setting_enabled_windows","org":"turbot","name":"compute_vm_password_complexity_setting_enabled_windows","sql":"with vm_password_complexity_setting as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'PasswordMustMeetComplexityRequirements'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' password complexity setting enabled.'\n else a.title || ' password complexity setting disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_password_complexity_setting as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2069,"endLineNumber":2103,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_password_complexity_setting_enabled_windows","org":"turbot","name":"compute_vm_password_complexity_setting_enabled_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not have the password complexity setting enabled","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that do not have the password complexity setting enabled","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_network_traffic_data_collection_windows_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_network_traffic_data_collection_windows_agent_installed","org":"turbot","name":"compute_vm_network_traffic_data_collection_windows_agent_installed","sql":"with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'ExtensionType' = 'DependencyAgentWindows'\n and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have data collection agent installed.'\n else a.title || ' data collection agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1500,"endLineNumber":1535,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_network_traffic_data_collection_windows_agent_installed","org":"turbot","name":"compute_vm_network_traffic_data_collection_windows_agent_installed","mod":"Azure Compliance","title":"Network traffic data collection agent should be installed on Windows virtual machines","description":"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Network traffic data collection agent should be installed on Windows virtual machines","controlDescription":"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_log_analytics_agent_installed_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_log_analytics_agent_installed_windows","org":"turbot","name":"compute_vm_log_analytics_agent_installed_windows","sql":"$101","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1285,"endLineNumber":1321,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_log_analytics_agent_installed_windows","org":"turbot","name":"compute_vm_log_analytics_agent_installed_windows","mod":"Azure Compliance","title":"Audit Windows machines on which the Log Analytics agent is not connected as expected","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines on which the Log Analytics agent is not connected as expected","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},"compute_vm_network_traffic_data_collection_linux_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_network_traffic_data_collection_linux_agent_installed","org":"turbot","name":"compute_vm_network_traffic_data_collection_linux_agent_installed","sql":"with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'ExtensionType' = 'DependencyAgentLinux'\n and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have data collection agent installed.'\n else a.title || ' data collection agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1537,"endLineNumber":1572,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_network_traffic_data_collection_linux_agent_installed","org":"turbot","name":"compute_vm_network_traffic_data_collection_linux_agent_installed","mod":"Azure Compliance","title":"Network traffic data collection agent should be installed on Linux virtual machines","description":"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Network traffic data collection agent should be installed on Linux virtual machines","controlDescription":"Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_min_password_length_14_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_min_password_length_14_windows","org":"turbot","name":"compute_vm_min_password_length_14_windows","sql":"with vm_min_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordLength'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' minimum password length is 14 characters.'\n else a.title || ' minimum password length is not 14 characters.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_min_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2105,"endLineNumber":2139,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_min_password_length_14_windows","org":"turbot","name":"compute_vm_min_password_length_14_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not restrict the minimum password length to 14 characters","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that do not restrict the minimum password length to 14 characters","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_malware_agent_automatic_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_malware_agent_automatic_upgrade_enabled","org":"turbot","name":"compute_vm_malware_agent_automatic_upgrade_enabled","sql":"$102","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1426,"endLineNumber":1461,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_malware_agent_automatic_upgrade_enabled","org":"turbot","name":"compute_vm_malware_agent_automatic_upgrade_enabled","mod":"Azure Compliance","title":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","description":"This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}}],"controlTitle":"Microsoft Antimalware for Azure should be configured to automatically update protection signatures","controlDescription":"This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.","controlTags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","sql":"with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have guest configuration extension installed.'\n else a.title || ' guest configuration extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1850,"endLineNumber":1882,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","mod":"Azure Compliance","title":"Guest Configuration extension should be installed on your machines","description":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Guest Configuration extension should be installed on your machines","controlDescription":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_with_no_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_with_no_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_no_managed_identity","sql":"$103","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2489,"endLineNumber":2523,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_with_no_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_no_managed_identity","mod":"Azure Compliance","title":"Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities","description":"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities","controlDescription":"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","sql":"select\n vm.vm_id as resource,\n case\n when resource_group is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when resource_group is not null then vm.title || ' uses azure resource manager.'\n else vm.title || ' not uses azure resource manager.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1574,"endLineNumber":1595,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","mod":"Azure Compliance","title":"Virtual machines should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_malware_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","sql":"with malware_agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.Azure.Security'\n and b ->> 'ExtensionType' = 'IaaSAntimalware'\n)\nselect\n a.vm_id as resource,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' IaaSAntimalware extension installed.'\n else a.title || ' IaaSAntimalware extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1323,"endLineNumber":1355,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","mod":"Azure Compliance","title":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","controlDescription":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.","controlTags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}},"compute_vm_utilizing_managed_disk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_utilizing_managed_disk","org":"turbot","name":"compute_vm_utilizing_managed_disk","sql":"select\n vm.id as resource,\n case\n when managed_disk_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when managed_disk_id is null then vm.name || ' VM not utilizing managed disks.'\n else vm.name || ' VM utilizing managed disks.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2580,"endLineNumber":2601,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_7_1","org":"turbot","name":"cis_v150_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_7_1","org":"turbot","name":"cis_v140_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_7_1","org":"turbot","name":"cis_v130_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_7_2","org":"turbot","name":"cis_v210_7_2","mod":"Azure Compliance","title":"7.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_7_2","org":"turbot","name":"cis_v200_7_2","mod":"Azure Compliance","title":"7.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_2","org":"turbot","name":"cis_v300_8_2","mod":"Azure Compliance","title":"8.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_utilizing_managed_disk","org":"turbot","name":"compute_vm_utilizing_managed_disk","mod":"Azure Compliance","title":"Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Ensure Virtual Machines are utilizing Managed Disks","controlDescription":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},"compute_windows_vm_secure_boot_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_windows_vm_secure_boot_enabled","org":"turbot","name":"compute_windows_vm_secure_boot_enabled","sql":"select\n a.id as resource,\n case\n when image_offer not like '%Windows%' or os_type not like 'Windows%' then 'skip'\n when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when image_offer not like '%Windows%' or os_type not like 'Windows%' then a.title || ' is not a windows VM.'\n when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then a.title || ' secure boot enabled.'\n else a.title || ' secure boot disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2771,"endLineNumber":2794,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_windows_vm_secure_boot_enabled","org":"turbot","name":"compute_windows_vm_secure_boot_enabled","mod":"Azure Compliance","title":"Secure Boot should be enabled on supported Windows virtual machines","description":"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Secure Boot should be enabled on supported Windows virtual machines","controlDescription":"Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","sql":"$104","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1812,"endLineNumber":1848,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","mod":"Azure Compliance","title":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","description":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","controlDescription":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"network_interface_ip_forwarding_disabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","sql":"with vm_using_nic as (\n select\n id as vm_id,\n name as vm_name,\n resource_group,\n _ctx,\n region,\n subscription_id,\n b ->> 'id' as nic_id\n from\n azure_compute_virtual_machine as c,\n jsonb_array_elements(network_interfaces) as b\n)\nselect\n v.vm_id as resource,\n case\n when i.enable_ip_forwarding then 'alarm'\n else 'ok'\n end as status,\n case\n when i.enable_ip_forwarding then v.vm_name || ' using ' || i.name || ' network interface enabled with IP forwarding.'\n else v.vm_name || ' using ' || i.name || ' network interface disabled with IP forwarding.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_subscription as sub,\n vm_using_nic as v\n left join azure_network_interface as i on i.id = v.nic_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_network_interface","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2174,"endLineNumber":2207,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","mod":"Azure Compliance","title":"IP Forwarding on your virtual machine should be disabled","description":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"IP Forwarding on your virtual machine should be disabled","controlDescription":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_scale_set_logging_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_logging_enabled","org":"turbot","name":"compute_vm_scale_set_logging_enabled","sql":"$105","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1463,"endLineNumber":1498,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_logging_enabled","org":"turbot","name":"compute_vm_scale_set_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Virtual Machine Scale Sets should be enabled","description":"It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Resource logs in Virtual Machine Scale Sets should be enabled","controlDescription":"It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.","controlTags":{"service":"Azure/Compute"}},"compute_vm_passwords_stored_using_reversible_encryption_windows":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_passwords_stored_using_reversible_encryption_windows","org":"turbot","name":"compute_vm_passwords_stored_using_reversible_encryption_windows","sql":"$106","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1704,"endLineNumber":1738,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_passwords_stored_using_reversible_encryption_windows","org":"turbot","name":"compute_vm_passwords_stored_using_reversible_encryption_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not store passwords using reversible encryption","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Audit Windows machines that do not store passwords using reversible encryption","controlDescription":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_tcp_udp_access_restricted_internet":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_tcp_udp_access_restricted_internet","org":"turbot","name":"compute_vm_tcp_udp_access_restricted_internet","sql":"$107","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_network_interface","azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1103,"endLineNumber":1208,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_tcp_udp_access_restricted_internet","org":"turbot","name":"compute_vm_tcp_udp_access_restricted_internet","mod":"Azure Compliance","title":"Internet-facing virtual machines should be protected with network security groups","description":"Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Internet-facing virtual machines should be protected with network security groups","controlDescription":"Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG).","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_log_analytics_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_log_analytics_agent_installed","org":"turbot","name":"compute_vm_log_analytics_agent_installed","sql":"with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring'\n and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b -> 'Settings' ->> 'workspaceId' is not null\n)\nselect\n a.vm_id as resource,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have log analytics agent installed.'\n else a.title || ' log analytics agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1249,"endLineNumber":1283,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_log_analytics_agent_installed","org":"turbot","name":"compute_vm_log_analytics_agent_installed","mod":"Azure Compliance","title":"Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring","description":"This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring","controlDescription":"This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_remote_access_restricted_all_ports":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_remote_access_restricted_all_ports","org":"turbot","name":"compute_vm_remote_access_restricted_all_ports","sql":"$108","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_network_security_group","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1066,"endLineNumber":1101,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_remote_access_restricted_all_ports","org":"turbot","name":"compute_vm_remote_access_restricted_all_ports","mod":"Azure Compliance","title":"All network ports should be restricted on network security groups associated to your virtual machine","description":"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"All network ports should be restricted on network security groups associated to your virtual machine","controlDescription":"Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_and_sacle_set_encryption_at_host_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_and_sacle_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_sacle_set_encryption_at_host_enabled","sql":"$109","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2365,"endLineNumber":2409,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_and_sacle_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_sacle_set_encryption_at_host_enabled","mod":"Azure Compliance","title":"Virtual machines and virtual machine scale sets should have encryption at host enabled","description":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Virtual machines and virtual machine scale sets should have encryption at host enabled","controlDescription":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity","sql":"$10a","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1666,"endLineNumber":1702,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity","org":"turbot","name":"compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity","mod":"Azure Compliance","title":"Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity","description":"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity","controlDescription":"This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_jit_access_protected":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_jit_access_protected","org":"turbot","name":"compute_vm_jit_access_protected","sql":"with compute as (\n select\n vm.id as resource,\n 'alarm' as status,\n vm.name || ' not JIT protected.' as reason,\n vm.resource_group,\n sub.display_name as subscription\n from\n azure_compute_virtual_machine as vm,\n azure_subscription sub\n where\n vm.subscription_id = sub.subscription_id\n)\nselect\n distinct vm.vm_id as resource,\n case\n when lower(vm.id) = lower(vms ->> 'id') then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(vms ->> 'id') = lower(vm.id) then vm.name || ' JIT protected.'\n else vm.name || ' not JIT protected.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_security_center_jit_network_access_policy as jit,\n jsonb_array_elements(virtual_machines) as vms,\n azure_subscription as sub\n left join compute on true\nwhere\n jit.subscription_id = sub.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_security_center_jit_network_access_policy","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1210,"endLineNumber":1247,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_jit_access_protected","org":"turbot","name":"compute_vm_jit_access_protected","mod":"Azure Compliance","title":"Management ports of virtual machines should be protected with just-in-time network access control","description":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Management ports of virtual machines should be protected with just-in-time network access control","controlDescription":"Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_attached_with_network":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_attached_with_network","org":"turbot","name":"compute_vm_attached_with_network","sql":"$10b","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_network_interface","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1017,"endLineNumber":1064,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_attached_with_network","org":"turbot","name":"compute_vm_attached_with_network","mod":"Azure Compliance","title":"Virtual machines should be connected to an approved virtual network","description":"This policy audits any virtual machine connected to a virtual network that is not approved.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should be connected to an approved virtual network","controlDescription":"This policy audits any virtual machine connected to a virtual network that is not approved.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},"compute_vm_scale_set_log_analytics_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_log_analytics_agent_installed","org":"turbot","name":"compute_vm_scale_set_log_analytics_agent_installed","sql":"with agent_installed_vm_scale_set as (\n select\n distinct a.id as vm_id\n from\n azure_compute_virtual_machine_scale_set as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring'\n and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b -> 'Settings' ->> 'workspaceId' is not null\n)\nselect\n a.id as resource,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have log analytics agent installed.'\n else a.title || ' log analytics agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a\n left join agent_installed_vm_scale_set as b on a.id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1357,"endLineNumber":1391,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_log_analytics_agent_installed","org":"turbot","name":"compute_vm_scale_set_log_analytics_agent_installed","mod":"Azure Compliance","title":"Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring","description":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring","controlDescription":"This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_scale_set_uses_managed_disks":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_uses_managed_disks","org":"turbot","name":"compute_vm_scale_set_uses_managed_disks","sql":"select\n a.id as resource,\n case\n when virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != null then 'ok'\n else 'alarm'\n end as status,\n case\n when virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != null then a.title || ' utilising managed disks.'\n else a.title || ' not utilising managed disks.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2725,"endLineNumber":2746,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_uses_managed_disks","org":"turbot","name":"compute_vm_scale_set_uses_managed_disks","mod":"Azure Compliance","title":"Virtual machine scale sets should use managed disks","description":"This policy identifies Azure Virtual machine scale sets which are not utilising Managed Disks. Using Azure Managed disk over traditional BLOB storage based VHD's has more advantage features like Managed disks are by default encrypted, reduces cost over storage accounts and more resilient as Microsoft will manage the disk storage and move around if underlying hardware goes faulty. It is recommended to move BLOB based VHD's to Managed Disks.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Virtual machine scale sets should use managed disks","controlDescription":"This policy identifies Azure Virtual machine scale sets which are not utilising Managed Disks. Using Azure Managed disk over traditional BLOB storage based VHD's has more advantage features like Managed disks are by default encrypted, reduces cost over storage accounts and more resilient as Microsoft will manage the disk storage and move around if underlying hardware goes faulty. It is recommended to move BLOB based VHD's to Managed Disks.","controlTags":{"service":"Azure/Compute"}},"compute_vm_scale_set_automatic_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_automatic_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_upgrade_enabled","sql":"select\n a.id as resource,\n case\n when upgrade_policy is null then 'skip'\n when upgrade_policy ->> 'mode' = 'Automatic' then 'ok'\n else 'alarm'\n end as status,\n case\n when upgrade_policy is null then a.title || ' upgrade policy not applicable.'\n when upgrade_policy ->> 'mode' = 'Automatic' then a.title || ' automatic update enabled.'\n else a.title || ' automatic update disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2643,"endLineNumber":2666,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_automatic_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_upgrade_enabled","mod":"Azure Compliance","title":"Compute virtual machine scale sets should have automatic OS image patching enabled","description":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Compute virtual machine scale sets should have automatic OS image patching enabled","controlDescription":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","controlTags":{"service":"Azure/Compute"}},"compute_vm_scale_set_ssh_key_authentication_linux":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_ssh_key_authentication_linux","org":"turbot","name":"compute_vm_scale_set_ssh_key_authentication_linux","sql":"select\n a.id as resource,\n case\n when virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' then 'skip'\n when virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' then a.title || ' is using windows OS.'\n when virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' then a.title || ' has SSK key authentication enabled.'\n else a.title || ' has password authentication enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2668,"endLineNumber":2691,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_ssh_key_authentication_linux","org":"turbot","name":"compute_vm_scale_set_ssh_key_authentication_linux","mod":"Azure Compliance","title":"Compute virtual machine scale sets with linux OS should have SSH key authentication enabled","description":"This control checks whether virtual machine scale sets have SSH key authentication enabled. This control is only applicable for Linux-type operating systems.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Compute virtual machine scale sets with linux OS should have SSH key authentication enabled","controlDescription":"This control checks whether virtual machine scale sets have SSH key authentication enabled. This control is only applicable for Linux-type operating systems.","controlTags":{"service":"Azure/Compute"}},"compute_vm_scale_set_boot_diagnostics_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/compute_vm_scale_set_boot_diagnostics_enabled","org":"turbot","name":"compute_vm_scale_set_boot_diagnostics_enabled","sql":"select\n a.id as resource,\n case\n when (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean then 'ok'\n else 'alarm'\n end as status,\n case\n when (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean then a.title || ' boot diagnostics enabled.'\n else a.title || ' boot diagnostics disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_compute_virtual_machine_scale_set","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2748,"endLineNumber":2769,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_boot_diagnostics_enabled","org":"turbot","name":"compute_vm_scale_set_boot_diagnostics_enabled","mod":"Azure Compliance","title":"Virtual Machine scale sets boot diagnostics should be enabled","description":"This policy identifies Azure Virtual Machines scale sets which has Boot Diagnostics setting Disabled. Boot Diagnostics when enabled for virtual machine, captures Screenshot and Console Output during virtual machine startup. This would help in troubleshooting virtual machine when it enters a non-bootable state.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Virtual Machine scale sets boot diagnostics should be enabled","controlDescription":"This policy identifies Azure Virtual Machines scale sets which has Boot Diagnostics setting Disabled. Boot Diagnostics when enabled for virtual machine, captures Screenshot and Console Output during virtual machine startup. This would help in troubleshooting virtual machine when it enters a non-bootable state.","controlTags":{"service":"Azure/Compute"}},"arc_compute_machine_windows_log_analytics_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/arc_compute_machine_windows_log_analytics_agent_installed","org":"turbot","name":"arc_compute_machine_windows_log_analytics_agent_installed","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_hybrid_compute_machine,\n jsonb_array_elements(extensions) as e\n where\n e ->> 'name' = 'MicrosoftMonitoringAgent'\n and e ->> 'provisioningState' = 'Succeeded'\n)\nselect\n a.id as resource,\n case\n when a.os_name <> 'windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_name <> 'windows' then a.name || ' is of ' || a.os_name || ' operating system.'\n when m.id is not null then a.name || ' log analytics extension installed.'\n else a.name || ' log analytics extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\nazure_hybrid_compute_machine as a\nleft join compute_machine as m on m.id = a.id,\nazure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_hybrid_compute_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":2209,"endLineNumber":2246,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.arc_compute_machine_windows_log_analytics_agent_installed","org":"turbot","name":"arc_compute_machine_windows_log_analytics_agent_installed","mod":"Azure Compliance","title":"Log Analytics extension should be installed on your Windows Azure Arc machines","description":"This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Log Analytics extension should be installed on your Windows Azure Arc machines","controlDescription":"This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"arc_compute_machine_linux_log_analytics_agent_installed":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/arc_compute_machine_linux_log_analytics_agent_installed","org":"turbot","name":"arc_compute_machine_linux_log_analytics_agent_installed","sql":"with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_hybrid_compute_machine,\n jsonb_array_elements(extensions) as e\n where\n e ->> 'name' = 'OMSAgentForLinux'\n and e ->> 'provisioningState' = 'Succeeded'\n)\nselect\n a.id as resource,\n case\n when a.os_name <> 'linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_name <> 'linux' then a.name || ' is of ' || a.os_name || ' operating system.'\n when m.id is not null then a.name || ' log analytics extension installed.'\n else a.name || ' log analytics extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\nazure_hybrid_compute_machine as a\nleft join compute_machine as m on m.id = a.id,\nazure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n","tags":{},"tables":["azure.azure_hybrid_compute_machine","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/compute.pp","startLineNumber":1884,"endLineNumber":1921,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.arc_compute_machine_linux_log_analytics_agent_installed","org":"turbot","name":"arc_compute_machine_linux_log_analytics_agent_installed","mod":"Azure Compliance","title":"Log Analytics extension should be installed on your Linux Azure Arc machines","description":"This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Log Analytics extension should be installed on your Linux Azure Arc machines","controlDescription":"This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"manual_control_hipaa":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/manual_control_hipaa","org":"turbot","name":"manual_control_hipaa","sql":"select\n id as resource,\n 'info' as status,\n 'Manual verification required. Check control description for more details.' as reason,\n display_name as subscription\nfrom\n azure_subscription;\n","tags":{},"tables":["azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/manual.pp","startLineNumber":13,"endLineNumber":23,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_adaptive_application_controls_enabled","org":"turbot","name":"compute_vm_adaptive_application_controls_enabled","mod":"Azure Compliance","title":"Adaptive application controls for defining safe applications should be enabled on your machines","description":"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_adaptive_network_hardening_recommendation_applied","org":"turbot","name":"compute_vm_adaptive_network_hardening_recommendation_applied","mod":"Azure Compliance","title":"Adaptive network hardening recommendations should be applied on internet facing virtual machines","description":"Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_administrators_group_with_no_specified_members_windows","org":"turbot","name":"compute_vm_administrators_group_with_no_specified_members_windows","mod":"Azure Compliance","title":"Audit Windows machines missing any of specified members in the Administrators group","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_with_no_specified_certificates_in_trusted_root_windows","org":"turbot","name":"compute_vm_with_no_specified_certificates_in_trusted_root_windows","mod":"Azure Compliance","title":"Audit Windows machines that do not contain the specified certificates in Trusted Root","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine Trusted Root certificate store does not contain one or more of the certificates listed by the policy parameter.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_administrators_group_with_extra_accounts_windows","org":"turbot","name":"compute_vm_administrators_group_with_extra_accounts_windows","mod":"Azure Compliance","title":"Audit Windows machines that have extra accounts in the Administrators group","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_administrators_group_with_specified_members_windows","org":"turbot","name":"compute_vm_administrators_group_with_specified_members_windows","mod":"Azure Compliance","title":"Audit Windows machines that have the specified members in the Administrators group","description":"Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_scale_set_security_configuration_vulnerabilities_remediated","org":"turbot","name":"compute_vm_scale_set_security_configuration_vulnerabilities_remediated","mod":"Azure Compliance","title":"Vulnerabilities in security configuration on your virtual machine scale sets should be remediated","description":"Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_security_option_requirement_windows","org":"turbot","name":"compute_vm_meet_security_option_requirement_windows","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'Security Options - Accounts'","description":"Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_security_option_audit_requirement_windows","org":"turbot","name":"compute_vm_meet_security_option_audit_requirement_windows","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'Security Options - Audit'","description":"Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_system_audit_policies_requirement_windows","org":"turbot","name":"compute_vm_meet_system_audit_policies_requirement_windows","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'","description":"Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_meet_firewall_properties_windows","org":"turbot","name":"compute_vm_meet_firewall_properties_windows","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'Windows Firewall Properties'","description":"Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.audit_diagnostic_setting","org":"turbot","name":"audit_diagnostic_setting","mod":"Azure Compliance","title":"Audit diagnostic setting for selected resource types","description":"Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.","tags":{"hipaa_hitrust_v92":"true","pci_dss_v321":"true","service":"Azure/Monitor"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_endpoint_protection_agent_installed","org":"turbot","name":"compute_vm_endpoint_protection_agent_installed","mod":"Azure Compliance","title":"Monitor missing Endpoint Protection in Azure Security Center","description":"Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.","tags":{"hipaa_hitrust_v92":"true","pci_dss_v321":"true","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_security_configuration_vulnerabilities_remediated","org":"turbot","name":"compute_vm_security_configuration_vulnerabilities_remediated","mod":"Azure Compliance","title":"Vulnerabilities in security configuration on your machines should be remediated","description":"Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Adaptive application controls for defining safe applications should be enabled on your machines","controlDescription":"Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.","controlTags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute","pci_dss_v321":"true"}}},"storage":{"storage_account_containing_vhd_os_disk_cmk_encrypted":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_containing_vhd_os_disk_cmk_encrypted","org":"turbot","name":"storage_account_containing_vhd_os_disk_cmk_encrypted","sql":"select\n sa.id as resource,\n case\n when sa.encryption_key_source = 'Microsoft.Storage'\n and vm.os_disk_vhd_uri is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.encryption_key_source = 'Microsoft.Storage'\n and vm.os_disk_vhd_uri is not null then sa.name || ' storage account containing VHD OS disk not encrypted with CMK.'\n else sa.name || ' storage account containing VHD OS disk encrypted with CMK.'\n end as reason\n \n , sa.resource_group as resource_group\n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_compute_virtual_machine vm,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id\n and vm.os_disk_vhd_uri like '%' || sa.name || '%';\n","tags":{},"tables":["azure.azure_compute_virtual_machine","azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":804,"endLineNumber":830,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_containing_vhd_os_disk_cmk_encrypted","org":"turbot","name":"storage_account_containing_vhd_os_disk_cmk_encrypted","mod":"Azure Compliance","title":"Storage account containing VHD OS disk not encrypted with CMK","description":"This policy identifies Azure Storage account containing VHD OS disk which are not encrypted with CMK. VHD's attached to Virtual Machines are stored in Azure storage. By default Azure Storage account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better control on the data.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Storage account containing VHD OS disk not encrypted with CMK","controlDescription":"This policy identifies Azure Storage account containing VHD OS disk which are not encrypted with CMK. VHD's attached to Virtual Machines are stored in Azure storage. By default Azure Storage account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better control on the data.","controlTags":{"service":"Azure/Storage"}},"storage_account_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","sql":"select\n sa.id as resource,\n case\n when sa.encryption_key_source = 'Microsoft.Storage' then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' not encrypted with CMK.'\n else sa.name || ' encrypted with CMK.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":443,"endLineNumber":464,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_12","org":"turbot","name":"cis_v210_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_12","org":"turbot","name":"cis_v200_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_12","org":"turbot","name":"cis_v150_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_9","org":"turbot","name":"cis_v140_3_9","mod":"Azure Compliance","title":"3.9 Ensure storage for critical data are encrypted with Customer Managed Key","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_9","org":"turbot","name":"cis_v130_3_9","mod":"Azure Compliance","title":"3.9 Ensure storage for critical data are encrypted with Customer Managed Key","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_11","org":"turbot","name":"cis_v300_4_11","mod":"Azure Compliance","title":"4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","mod":"Azure Compliance","title":"Storage accounts should use customer-managed key for encryption","description":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should use customer-managed key for encryption","controlDescription":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"storage_account_trusted_microsoft_services_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","sql":"select\n sa.id as resource,\n case\n when network_rule_bypass not like '%AzureServices%' then 'alarm'\n else 'ok'\n end as status,\n case\n when network_rule_bypass not like '%AzureServices%' then sa.name || ' trusted Microsoft services not enabled.'\n else sa.name || ' trusted Microsoft services enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":685,"endLineNumber":706,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_7","org":"turbot","name":"cis_v140_3_7","mod":"Azure Compliance","title":"3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","description":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_7","org":"turbot","name":"cis_v130_3_7","mod":"Azure Compliance","title":"3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","description":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_9","org":"turbot","name":"cis_v210_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_9","org":"turbot","name":"cis_v200_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_9","org":"turbot","name":"cis_v150_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_8","org":"turbot","name":"cis_v300_4_8","mod":"Azure Compliance","title":"4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","mod":"Azure Compliance","title":"Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","controlDescription":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_min_tls_1_2":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_min_tls_1_2","org":"turbot","name":"storage_account_min_tls_1_2","sql":"select\n sa.id as resource,\n case\n when minimum_tls_version = 'TLSEnforcementDisabled' then 'alarm'\n when minimum_tls_version = 'TLS1_2' then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_tls_version = 'TLSEnforcementDisabled' then sa.name || ' TLS enforcement is disabled.'\n when minimum_tls_version = 'TLS1_2' then sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.'\n else sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":608,"endLineNumber":631,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_12","org":"turbot","name":"cis_v140_3_12","mod":"Azure Compliance","title":"3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2'","description":"Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_15","org":"turbot","name":"cis_v210_3_15","mod":"Azure Compliance","title":"3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","description":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_15","org":"turbot","name":"cis_v200_3_15","mod":"Azure Compliance","title":"3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","description":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_15","org":"turbot","name":"cis_v150_3_15","mod":"Azure Compliance","title":"3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","description":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_15","org":"turbot","name":"cis_v300_4_15","mod":"Azure Compliance","title":"4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","description":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.15","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_min_tls_1_2","org":"turbot","name":"storage_account_min_tls_1_2","mod":"Azure Compliance","title":"Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","description":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'","controlDescription":"In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.15","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_blob_service_logging_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","sql":"$10c","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":547,"endLineNumber":577,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_10","org":"turbot","name":"cis_v140_3_10","mod":"Azure Compliance","title":"3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_10","org":"turbot","name":"cis_v130_3_10","mod":"Azure Compliance","title":"3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_13","org":"turbot","name":"cis_v210_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_13","org":"turbot","name":"cis_v200_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_13","org":"turbot","name":"cis_v150_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_13","org":"turbot","name":"cis_v300_4_13","mod":"Azure Compliance","title":"4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.13","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","mod":"Azure Compliance","title":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","controlDescription":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.13","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_secure_transfer_required_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","sql":"select\n sa.id as resource,\n case\n when not enable_https_traffic_only then 'alarm'\n else 'ok'\n end as status,\n case\n when not enable_https_traffic_only then sa.name || ' encryption in transit not enabled.'\n else sa.name || ' encryption in transit enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":234,"endLineNumber":255,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_1","org":"turbot","name":"cis_v210_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_1","org":"turbot","name":"cis_v200_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_1","org":"turbot","name":"cis_v150_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_1","org":"turbot","name":"cis_v140_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_1","org":"turbot","name":"cis_v130_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_1","org":"turbot","name":"cis_v300_4_1","mod":"Azure Compliance","title":"4.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","mod":"Azure Compliance","title":"Secure transfer to storage accounts should be enabled","description":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Secure transfer to storage accounts should be enabled","controlDescription":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true"}},"storage_account_blob_containers_public_access_private":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","sql":"select\n container.id as resource,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n , container.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_storage_container","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":524,"endLineNumber":545,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_17","org":"turbot","name":"cis_v210_3_17","mod":"Azure Compliance","title":"3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`","description":"The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.17","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_5","org":"turbot","name":"cis_v140_3_5","mod":"Azure Compliance","title":"3.5 Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_5","org":"turbot","name":"cis_v130_3_5","mod":"Azure Compliance","title":"3.5 Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_7","org":"turbot","name":"cis_v200_3_7","mod":"Azure Compliance","title":"3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers","description":"Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_7","org":"turbot","name":"cis_v150_3_7","mod":"Azure Compliance","title":"3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers","description":"Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_17","org":"turbot","name":"cis_v300_4_17","mod":"Azure Compliance","title":"4.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`","description":"The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.17","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","mod":"Azure Compliance","title":"Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure that 'Public access level' is set to Private for blob containers","controlDescription":"Disable anonymous access to blob containers and disallow blob public access on storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.17","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","sql":"$10d","tags":{},"tables":["azure.azure_storage_account","azure.azure_subnet","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":280,"endLineNumber":316,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Storage Accounts should use a virtual network service endpoint","description":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Storage"}}],"controlTitle":"Storage Accounts should use a virtual network service endpoint","controlDescription":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Storage"}},"storage_account_restrict_network_access":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","sql":"select\n sa.id as resource,\n case\n when network_rule_default_action = 'Deny' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_rule_default_action = 'Deny' then sa.name || ' blocks network access.'\n else sa.name || ' allows network access.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":397,"endLineNumber":418,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","mod":"Azure Compliance","title":"Storage accounts should restrict network access using virtual network rules","description":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access using virtual network rules","controlDescription":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}},"storage_account_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","sql":"select\n s.id as resource,\n case\n when resource_group is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when resource_group is not null then s.title || ' uses azure resource manager.'\n else s.title || ' not uses azure resource manager.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":466,"endLineNumber":487,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","mod":"Azure Compliance","title":"Storage accounts should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}},"storage_account_soft_delete_enabled":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_soft_delete_enabled","org":"turbot","name":"storage_account_soft_delete_enabled","sql":"select\n sa.id as resource,\n case\n when not blob_soft_delete_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not blob_soft_delete_enabled then sa.name || ' blobs soft delete disabled.'\n else sa.name || ' blobs soft delete enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":662,"endLineNumber":683,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_11","org":"turbot","name":"cis_v210_3_11","mod":"Azure Compliance","title":"3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage","description":"The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.11","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_11","org":"turbot","name":"cis_v200_3_11","mod":"Azure Compliance","title":"3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage","description":"The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.11","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_11","org":"turbot","name":"cis_v150_3_11","mod":"Azure Compliance","title":"3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage","description":"The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.11","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_8","org":"turbot","name":"cis_v140_3_8","mod":"Azure Compliance","title":"3.8 Ensure soft delete is enabled for Azure Storage","description":"The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_8","org":"turbot","name":"cis_v130_3_8","mod":"Azure Compliance","title":"3.8 Ensure soft delete is enabled for Azure Storage","description":"The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_10","org":"turbot","name":"cis_v300_4_10","mod":"Azure Compliance","title":"4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage","description":"The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.10","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_soft_delete_enabled","org":"turbot","name":"storage_account_soft_delete_enabled","mod":"Azure Compliance","title":"Ensure soft delete is enabled for Azure Storage","description":"The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure soft delete is enabled for Azure Storage","controlDescription":"The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.10","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_default_network_access_rule_denied":{"path":"/mods/turbot/steampipe-mod-azure-compliance/queries/storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","sql":"select\n sa.id as resource,\n case\n when sa.network_rule_default_action = 'Allow' then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.network_rule_default_action = 'Allow' then name || ' allows traffic from all networks.'\n else name || ' allows traffic from specific networks.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n","tags":{},"tables":["azure.azure_storage_account","azure.azure_subscription"],"plugins":["turbot/azure"],"sourceDefinitionRepoPath":"regulatory_compliance/storage.pp","startLineNumber":257,"endLineNumber":278,"modSourceName":"steampipe-mod-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_6","org":"turbot","name":"cis_v140_3_6","mod":"Azure Compliance","title":"3.6 Ensure default network access rule for Storage Accounts is set to deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.6","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_6","org":"turbot","name":"cis_v130_3_6","mod":"Azure Compliance","title":"3.6 Ensure default network access rule for Storage Accounts is set to deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.6","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_8","org":"turbot","name":"cis_v210_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_8","org":"turbot","name":"cis_v200_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_8","org":"turbot","name":"cis_v150_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_7","org":"turbot","name":"cis_v300_4_7","mod":"Azure Compliance","title":"4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","mod":"Azure Compliance","title":"Storage accounts should restrict network access","description":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access","controlDescription":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level

Query: Cognitive Services accounts should have local authentication methods disabled

Description

Query

SQL