Standard Price Is Not Selected
- Query id: 2081c7d6-2851-4cce-bda5-cb49d462da42
- Query name: Standard Price Is Not Selected
- Platform: AzureResourceManager
- Severity: Low
- Category: Resource Management
- CWE: 732
- URL: Github
Description¶
Azure Security Center provides more features for standard pricing mode, so it must be activated.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
name: 'webApp1'
location: resourceGroup().location
tags: {
'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
displayName: 'webApp1'
}
properties: {
name: 'webApp1'
serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
}
dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}
resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
name: 'Princing'
properties: {
pricingTier: 'Free'
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "webApp1",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
"displayName": "webApp1"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
],
"properties": {
"name": "webApp1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2017-08-01-preview",
"name": "Princing",
"properties": {
"pricingTier": "Free"
}
}
]
}
Positive test num. 3 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
name: 'webApp1'
location: resourceGroup().location
tags: {
'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
displayName: 'webApp1'
}
properties: {
name: 'webApp1'
serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
}
dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}
resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
name: 'Princing'
properties: {
pricingTier: 'Free'
}
}
Positive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "webApp1",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
"displayName": "webApp1"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
],
"properties": {
"name": "webApp1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2017-08-01-preview",
"name": "Princing",
"properties": {
"pricingTier": "Free"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 5 - bicep file
@description(
'Specifiy whether you want to enable Standard tier for Virtual Machine resource type'
)
@allowed(['Standard', 'Free'])
param virtualMachineTier string = 'Free'
resource VirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
name: 'VirtualMachines'
properties: {
pricingTier: virtualMachineTier
}
}
Positive test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"virtualMachineTier": {
"type": "string",
"defaultValue": "Free",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
}
}
},
"resources": [
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "VirtualMachines",
"properties": {
"pricingTier": "[parameters('virtualMachineTier')]"
}
}
],
"outputs": {
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
name: 'webApp1'
location: resourceGroup().location
tags: {
'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
displayName: 'webApp1'
}
properties: {
name: 'webApp1'
serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
}
dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}
resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
name: 'Princing'
properties: {
pricingTier: 'Standard'
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "webApp1",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
"displayName": "webApp1"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
],
"properties": {
"name": "webApp1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2017-08-01-preview",
"name": "Princing",
"properties": {
"pricingTier": "Standard"
}
}
]
}
Negative test num. 3 - bicep file
resource webApp1 'Microsoft.Web/sites@2018-11-01' = {
name: 'webApp1'
location: resourceGroup().location
tags: {
'hidden-related:${resourceGroup().id}/providers/Microsoft.Web/serverfarms/appServicePlan1': 'Resource'
displayName: 'webApp1'
}
properties: {
name: 'webApp1'
serverFarmId: resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')
}
dependsOn: [resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]
}
resource Princing 'Microsoft.Security/pricings@2017-08-01-preview' = {
name: 'Princing'
properties: {
pricingTier: 'Standard'
}
}
Negative test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "webApp1",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource",
"displayName": "webApp1"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
],
"properties": {
"name": "webApp1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2017-08-01-preview",
"name": "Princing",
"properties": {
"pricingTier": "Standard"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 5 - bicep file
@description(
'Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center'
)
@allowed(['az-security-workspace'])
param workspaceName string = 'az-security-workspace'
@description(
'Name of the resource group where the central log analytics workspace belongs to'
)
@allowed(['azsec-security-rg'])
param workspaceRgName string = 'azsec-security-rg'
@description('Specify whether Auto Provisoning is turned on or off')
@allowed(['On', 'Off'])
param autoProvisionSetting string = 'On'
@description(
'Email of the administrator who should be notified about Azure Security Center alert'
)
param ascOwnerEmail string
@description(
'Phone number of the administrator should be notified about Azure Security Center alert'
)
param ascOwnerContact string
@description(
'Specify whether you want to notify high severity alert to ASC administrator'
)
@allowed(['On', 'Off'])
param highSeverityAlertNotification string = 'On'
@description(
'Specifiy whether you want to notify high severity alert to subscription owner'
)
@allowed(['On', 'Off'])
param subscriptionOwnerNotification string = 'On'
@description(
'Specifiy whether you want to enable Standard tier for Virtual Machine resource type'
)
@allowed(['Standard', 'Free'])
param virtualMachineTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for Azure App Service resource type'
)
@allowed(['Standard', 'Free'])
param appServiceTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for PaaS SQL Service resource type'
)
@allowed(['Standard', 'Free'])
param paasSQLServiceTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for SQL Server on VM resource type'
)
@allowed(['Standard', 'Free'])
param sqlServerOnVmTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for Storage Account resource type'
)
@allowed(['Standard', 'Free'])
param storageAccountTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for Kubernetes service resource type'
)
@allowed(['Standard', 'Free'])
param kubernetesServiceTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for Container Registry resource type'
)
@allowed(['Standard', 'Free'])
param containerRegistryTier string = 'Standard'
@description(
'Specify whether you want to enable Standard tier for Key Vault resource type'
)
@allowed(['Standard', 'Free'])
param keyvaultTier string = 'Standard'
@description(
'Select integration name to enable. Only MCAS or MDATP is supported.'
)
@allowed(['MCAS', 'MDATP'])
param integrationName string
@description('Specify whether you want to enable or not.')
@allowed([true, false])
param integrationEnabled bool
resource default 'Microsoft.Security/workspaceSettings@2017-08-01-preview' = {
name: 'default'
properties: {
scope: subscription().id
workspaceId: '${subscription().id}/resourceGroups/${workspaceRgName}/providers/Microsoft.OperationalInsights/workspaces/${workspaceName}'
}
}
resource Microsoft_Security_autoProvisioningSettings_default 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = {
name: 'default'
properties: {
autoProvision: autoProvisionSetting
}
}
resource default1 'Microsoft.Security/securityContacts@2017-08-01-preview' = {
name: 'default1'
properties: {
emails: ascOwnerEmail
phone: ascOwnerContact
alertNotifications: {
state: 'On'
minimalSeverity: highSeverityAlertNotification
}
notificationsByRole: {
state: 'On'
roles: subscriptionOwnerNotification
}
}
}
resource VirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
name: 'VirtualMachines'
properties: {
pricingTier: virtualMachineTier
}
}
resource AppServices 'Microsoft.Security/pricings@2018-06-01' = {
name: 'AppServices'
properties: {
pricingTier: appServiceTier
}
dependsOn: [VirtualMachines]
}
resource SqlServers 'Microsoft.Security/pricings@2018-06-01' = {
name: 'SqlServers'
properties: {
pricingTier: paasSQLServiceTier
}
dependsOn: [AppServices]
}
resource SqlServerVirtualMachines 'Microsoft.Security/pricings@2018-06-01' = {
name: 'SqlServerVirtualMachines'
properties: {
pricingTier: sqlServerOnVmTier
}
dependsOn: [SqlServers]
}
resource StorageAccounts 'Microsoft.Security/pricings@2018-06-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: storageAccountTier
}
dependsOn: [SqlServerVirtualMachines]
}
resource KubernetesService 'Microsoft.Security/pricings@2018-06-01' = {
name: 'KubernetesService'
properties: {
pricingTier: kubernetesServiceTier
}
dependsOn: [StorageAccounts]
}
resource ContainerRegistry 'Microsoft.Security/pricings@2018-06-01' = {
name: 'ContainerRegistry'
properties: {
pricingTier: containerRegistryTier
}
dependsOn: [KubernetesService]
}
resource KeyVaults 'Microsoft.Security/pricings@2018-06-01' = {
name: 'KeyVaults'
properties: {
pricingTier: keyvaultTier
}
dependsOn: [ContainerRegistry]
}
resource integration 'Microsoft.Security/settings@2019-01-01' = {
name: integrationName
kind: 'DataExportSettings'
properties: {
enabled: integrationEnabled
}
}
Negative test num. 6 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"workspaceName": {
"type": "string",
"defaultValue": "az-security-workspace",
"allowedValues": [
"az-security-workspace"
],
"metadata": {
"description": "Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center"
}
},
"workspaceRgName": {
"type": "string",
"defaultValue": "azsec-security-rg",
"allowedValues": [
"azsec-security-rg"
],
"metadata": {
"description": "Name of the resource group where the central log analytics workspace belongs to"
}
},
"autoProvisionSetting": {
"type": "string",
"defaultValue": "On",
"allowedValues": [
"On",
"Off"
],
"metadata": {
"description": "Specify whether Auto Provisoning is turned on or off"
}
},
"ascOwnerEmail": {
"type": "string",
"metadata": {
"description": "Email of the administrator who should be notified about Azure Security Center alert"
}
},
"ascOwnerContact": {
"type": "string",
"metadata": {
"description": "Phone number of the administrator should be notified about Azure Security Center alert"
}
},
"highSeverityAlertNotification": {
"type": "string",
"defaultValue": "On",
"allowedValues": [
"On",
"Off"
],
"metadata": {
"description": "Specify whether you want to notify high severity alert to ASC administrator"
}
},
"subscriptionOwnerNotification": {
"type": "string",
"defaultValue": "On",
"allowedValues": [
"On",
"Off"
],
"metadata": {
"description": "Specifiy whether you want to notify high severity alert to subscription owner"
}
},
"virtualMachineTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type"
}
},
"appServiceTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for Azure App Service resource type"
}
},
"paasSQLServiceTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for PaaS SQL Service resource type"
}
},
"sqlServerOnVmTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for SQL Server on VM resource type"
}
},
"storageAccountTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for Storage Account resource type"
}
},
"kubernetesServiceTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for Kubernetes service resource type"
}
},
"containerRegistryTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for Container Registry resource type"
}
},
"keyvaultTier": {
"type": "string",
"defaultValue": "Standard",
"allowedValues": [
"Standard",
"Free"
],
"metadata": {
"description": "Specify whether you want to enable Standard tier for Key Vault resource type"
}
},
"integrationName": {
"type": "string",
"allowedValues": [
"MCAS",
"MDATP"
],
"metadata": {
"description": "Select integration name to enable. Only MCAS or MDATP is supported."
}
},
"integrationEnabled": {
"type": "bool",
"allowedValues": [
true,
false
],
"metadata": {
"description": "Specify whether you want to enable or not."
}
}
},
"resources": [
{
"type": "Microsoft.Security/workspaceSettings",
"apiVersion": "2017-08-01-preview",
"name": "default",
"properties": {
"scope": "[subscription().id]",
"workspaceId": "[concat(subscription().id,'/resourceGroups/',parameters('workspaceRgName'),'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"
}
},
{
"type": "Microsoft.Security/autoProvisioningSettings",
"apiVersion": "2017-08-01-preview",
"name": "default",
"properties": {
"autoProvision": "[parameters('autoProvisionSetting')]"
}
},
{
"type": "Microsoft.Security/securityContacts",
"apiVersion": "2017-08-01-preview",
"name": "default1",
"properties": {
"emails": "[parameters('ascOwnerEmail')]",
"phone": "[parameters('ascOwnerContact')]",
"alertNotifications": {
"state": "On",
"minimalSeverity": "[parameters('highSeverityAlertNotification')]"
},
"notificationsByRole": {
"state": "On",
"roles": "[parameters('subscriptionOwnerNotification')]"
}
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "VirtualMachines",
"properties": {
"pricingTier": "[parameters('virtualMachineTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "AppServices",
"dependsOn": [
"[concat('Microsoft.Security/pricings/VirtualMachines')]"
],
"properties": {
"pricingTier": "[parameters('appServiceTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "SqlServers",
"dependsOn": [
"[concat('Microsoft.Security/pricings/AppServices')]"
],
"properties": {
"pricingTier": "[parameters('paasSQLServiceTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "SqlServerVirtualMachines",
"dependsOn": [
"[concat('Microsoft.Security/pricings/SqlServers')]"
],
"properties": {
"pricingTier": "[parameters('sqlServerOnVmTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "StorageAccounts",
"dependsOn": [
"[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]"
],
"properties": {
"pricingTier": "[parameters('storageAccountTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "KubernetesService",
"dependsOn": [
"[concat('Microsoft.Security/pricings/StorageAccounts')]"
],
"properties": {
"pricingTier": "[parameters('kubernetesServiceTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "ContainerRegistry",
"dependsOn": [
"[concat('Microsoft.Security/pricings/KubernetesService')]"
],
"properties": {
"pricingTier": "[parameters('containerRegistryTier')]"
}
},
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2018-06-01",
"name": "KeyVaults",
"dependsOn": [
"[concat('Microsoft.Security/pricings/ContainerRegistry')]"
],
"properties": {
"pricingTier": "[parameters('keyvaultTier')]"
}
},
{
"type": "Microsoft.Security/settings",
"apiVersion": "2019-01-01",
"name": "[parameters('integrationName')]",
"kind": "DataExportSettings",
"properties": {
"enabled": "[parameters('integrationEnabled')]"
}
}
],
"outputs": {
}
}