Framework/Configurations/SVT/ControlSettings.json

{
   "Diagnostics_RetentionPeriod_Min": 365,
   "Diagnostics_RetentionPeriod_Forever": 0,
   "KeyVault": {
      "KeyRotationDuration_Days": 365,
      "SecretRotationDuration_Days": 180,
      "KeyType": "RSA-HSM",
      "ADAppCredentialTypeCrt": "AsymmetricX509Cert",
      "ADAppCredentialTypePwd": "Password"
   },
   "SqlServer": {
      "AuditRetentionPeriod_Min": 365,
      "AuditRetentionPeriod_Forever": 0
   },
   "AnalysisService": {
      "Max_Admin_Count": 2
   },
   "VirtualMachine": {
      "Windows": {
         "SupportedSkuList": [
            {
               "Offer":"WindowsServer",
               "Sku": [ "2016-Datacenter-smalldisk", "2016-Datacenter", "2012-Datacenter" ]
            }
         ],
         "ManagementPortList": [
            {
               "Name": "RDP",
               "Port": 3389
            },
            {
               "Name": "WINRM",
               "Port": 5985
            }
         ],
         "BaselineIds": []
      },
      "Linux": {
         "SupportedSkuList": [
            {
               "Offer": "UbuntuServer",
               "Sku": [ "16.04-LTS" ]
            }
         ],
         "ManagementPortList": [
            {
               "Name": "RDP",
               "Port": 3389
            },
            {
               "Name": "SSH",
               "Port": 22
            }
         ],
         "BaselineIds": []
      },
      "Windows_OS_Baseline_Ids": []
   },
   "NoOfApprovedAdmins": 5,
   "NoOfClassicAdminsLimit": 2,
   "WhitelistedMgmtCerts": {
      "Thumbprints": [],
      "ApprovedValidityRangeInDays": 732
   },
   "WhitelistedCustomRBACRoles": [
      {
         "Id": "21d96096-b162-414a-8302-d8354f9d91b2",
         "Name": "Azure Service Deploy Release Management Contributor"
      },
      {
         "Id": "9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc",
         "Name": "GenevaWarmPathResourceContributor"
      },
      {
         "Id": "7fd64851-3279-459b-b614-e2b2ba760f5b",
         "Name": "Office DevOps"
      }
   ],
   "RequiredSecurityCenterRecommendations": ["NetworkSecurityGroupMissingOnVm","EncryptionOnVm","InstallAntimalware","VirtualMachinesNsgShouldRestrictTrafficTaskParameters","VulnerabilityAssessmentDeployment"],
   "UniversalIPRange": "0.0.0.0-255.255.255.255",
   "IPRangeStartIP": "0.0.0.0",
   "IPRangeEndIP": "255.255.255.255",
   "MetricAlert": {
      "Batch": [
         {
            "Condition": {
               "DataSource": {
                  "MetricName": "PoolDeleteCompleteEvent"
               },
               "Operator": "GreaterThan",
               "Threshold": 0,
               "TimeAggregation": "Total",
               "WindowsSize": "01:00:00"
            },
            "Status": "Enabled",
            "Actions": {
               "SendToServiceOwners": true
            }
         },
         {
            "Condition": {
               "DataSource": {
                  "MetricName": "PoolDeleteStartEvent"
               },
               "Operator": "GreaterThan",
               "Threshold": 0,
               "TimeAggregation": "Total",
               "WindowsSize": "01:00:00"
            },
            "Status": "Enabled",
            "Actions": {
               "SendToServiceOwners": true
            }
         }
      ],
      "Storage": [
         {
            "Condition": {
               "DataSource": {
                  "MetricName": "AnonymousSuccess"
               },
               "Operator": "GreaterThan",
               "Threshold": 0,
               "TimeAggregation": "Total",
               "WindowsSize": "01:00:00"
            },
            "Status": "Enabled",
            "Actions": {
               "SendToServiceOwners": true
            }
         }
      ],
      "StreamAnalytics": [
         {
            "Condition": {
               "DataSource": {
                  "MetricName": "AMLCalloutFailedRequests"
               },
               "Operator": "GreaterThan",
               "Threshold": 0,
               "TimeAggregation": "Total",
               "WindowsSize": "00:05:00"
            },
            "Status": "Enabled",
            "Actions": {
               "SendToServiceOwners": true
            }
         },
         {
            "Condition": {
               "DataSource": {
                  "MetricName": "Errors"
               },
               "Operator": "GreaterThan",
               "Threshold": 0,
               "TimeAggregation": "Total",
               "WindowsSize": "00:05:00"
            },
            "Status": "Enabled",
            "Actions": {
               "SendToServiceOwners": true
            }
         }
      ]
   },
   "StorageKindMapping": [
      {
         "Kind": "BlobStorage",
         "Services": [
            "blob"
         ],
         "DiagnosticsLogServices": [
            "blob"
         ]
      },
      {
         "Kind": "Storage",
         "Services": [
            "blob",
            "file",
            "queue",
            "table"
         ],
         "DiagnosticsLogServices": [
            "blob",
            "queue",
            "table"
         ]
      }
   ],
   "AppService": {
      "Backup_RetentionPeriod_Min": 365,
      "Backup_RetentionPeriod_Forever": 0,
      "LatestDotNetFrameworkVersionNumber": "v4.0",
      "Minimum_Instance_Count": 2,
      "AADAuthAPIVersion": "2016-08-01",
      "LoadCertAppSettings": "WEBSITE_LOAD_CERTIFICATES"
   },
   "StorageDiagnosticsSkuMapping": [
      "StandardGRS",
      "StandardLRS",
      "StandardRAGRS"
   ],
   "StorageAlertSkuMapping": [
      "StandardGRS",
      "StandardLRS",
      "StandardRAGRS"
   ],
   "StorageGeoRedundantSku": [
      "StandardGRS",
      "StandardRAGRS"
   ],
   "RedisCache": {
      "FirewallApplicableSku": [
         "Premium"
      ],
      "RDBBackApplicableSku": [
         "Premium"
      ]
   },
   "CosmosDb": {
      "Firewall": {
         "IpLimitPerDb": 2048,
         "IpLimitPerRange": 256
      }
   },
   "Automation": {
      "WebhookValidityInDays": 60
   },
   "BaselineControls": {
      "ResourceTypeControlIdMappingList": [
         {
            "ResourceType": "VirtualMachine",
            "ControlIds": [
               "Azure_VirtualMachine_SI_Missing_OS_Patches",
               "Azure_VirtualMachine_SI_Enable_Antimalware_Windows",
               "Azure_VirtualMachine_NetSec_Dont_Open_Management_Ports"
            ]
         },
         {
            "ResourceType": "SQLDatabase",
            "ControlIds": [
               "Azure_SQLDatabase_DP_Enable_TDE",
               "Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server",
               "Azure_SQLDatabase_Audit_Enable_Threat_Detection_DB"
            ]
         },
         {
            "ResourceType": "AppService",
            "ControlIds": [ "Azure_AppService_DP_Dont_Allow_HTTP_Access" ]
         },
         {
            "ResourceType": "Storage",
            "ControlIds": [
               "Azure_Storage_AuthN_Dont_Allow_Anonymous",
               "Azure_Storage_DP_Encrypt_At_Rest_Blob",
               "Azure_Storage_DP_Encrypt_At_Rest_File",
               "Azure_Storage_DP_Encrypt_In_Transit"
            ]
         },
         {
            "ResourceType": "CloudService",
            "ControlIds": [
               "Azure_CloudService_DP_DontAllow_HTTP_Access_InputEndpoints",
               "Azure_CloudService_SI_Auto_OSUpdate",
               "Azure_CloudService_SI_Enable_AntiMalware",
               "Azure_CloudService_SI_Disable_RemoteDesktop_Access"
            ]
         },
         {
            "ResourceType": "AppService",
            "ControlIds": [ "Azure_AppService_DP_Dont_Allow_HTTP_Access" ]
         },
         {
            "ResourceType": "ERvNet",
            "ControlIds": [
               "Azure_ERvNet_NetSec_Dont_Use_PublicIPs",
               "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs",
               "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets",
               "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways",
               "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings",
               "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers"
            ]
         }
      ],
      "SubscriptionControlIdList": [
         "Azure_Subscription_AuthZ_Add_Required_Central_Accounts",
         "Azure_Subscription_AuthZ_Remove_Deprecated_Accounts",
         "Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities",
         "Azure_Subscription_AuthZ_Remove_Management_Certs",
         "Azure_Subscription_Config_Azure_Security_Center",
         "Azure_Subscription_Config_ARM_Policy",
         "Azure_Subscription_Audit_Configure_Critical_Alerts"
      ],
      "ExpiryInDays": 6,
      "SupportedSources": [ "CC" ]
   },
   "CloudService": {
      "LatestOSSKUIDs": [ "WA-GUEST-OS-4.44_201707-01" ]
   },
   "AttestationExpiryPeriodInDays": {
      "Default": 90,
      "ControlSeverity": {
         "Critical": 7,
         "High": 30,
         "Medium": 60,
         "Low": 90
      }
   }
 
}