Azure

Monitor critical Azure infrastructure with Sprinto by tracking SQL database encryption, storage security, NSG flow logs, CPU usage, and TLS settings across web apps.

Sprinto integrates with Microsoft Azure to monitor infrastructure-level controls and resource security configurations. These monitors ensure that core services such as storage, databases, and web apps are correctly configured to meet compliance requirements and organisational policies.

This article outlines the Azure-specific infrastructure monitors tracked by Sprinto, the configuration steps for each, and how to resolve failing monitors.

Monitored Azure Services

Sprinto evaluates the following Azure services for infrastructure and configuration compliance:

Azure SQL Database
Azure Storage Accounts
Azure Network Security Groups (NSGs)
Azure Web Apps

Detailed Monitors and Resolution Steps

1. Azure SQL: CPU Utilisation Should Be Monitored

What it checks: Azure Monitor is configured to track high CPU usage on SQL Databases.
How to resolve:
1. Go to Azure Portal > Monitor > Alerts > New Alert Rule.
2. Select Resource (SQL database) → Choose Metric: CPU percentage.
3. Set a condition (e.g., >80% for 5 minutes).
4. Define an action group (email, webhook, etc.).
5. Save and enable the alert.

2. Azure SQL: Data Should Be Encrypted

What it checks: Transparent Data Encryption (TDE) is enabled on SQL Databases.
How to resolve:
1. Navigate to SQL Server > Transparent Data Encryption.
2. Ensure TDE status is set to Enabled.
3. Choose Service-managed key or Customer-managed key.
4. Save the settings.

3. Azure Storage: Secure Transfer Should Be Required

What it checks: Ensures the storage account enforces secure (HTTPS-only) connections.
How to resolve:
1. Go to Storage Accounts > Configuration.
2. Set Secure transfer required to Enabled.
3. Click Save.

4. Azure Storage: Default Network Access Rule Should Be Deny

What it checks: Blocks public access unless explicitly allowed.
How to resolve:
1. Go to Storage Accounts > Networking.
2. Under Firewalls and virtual networks, set:
  - Public access: Disabled
  - Default action: Deny
3. Save changes.

5. Azure NSG: Flow Logs Should Be Enabled

What it checks: Captures NSG traffic logs for network analysis.
How to resolve:
1. Navigate to NSG > Diagnostic settings.
2. Click Add diagnostic setting.
3. Select Flow logs, choose a Storage account or Log Analytics workspace.
4. Enable retention and save.

6. Azure Web Apps: Latest TLS Version Should Be Enforced

What it checks: Web apps are using TLS 1.2 or higher.
How to resolve:
1. Go to App Services > Configuration > General settings.
2. Set Minimum TLS version to 1.2 or 1.3.
3. Click Save.

Remediating the Monitor in Sprinto

Sprinto auto-updates the monitor status for integrated services.
For manual checks:
- Upload screenshots of your Azure Portal settings
- Attach relevant policy JSONs or diagnostic exports
Use Mark as Resolved after completing remediation

Best Practices

Standardise configurations using Azure Policy
Use Log Analytics and Diagnostic Settings to track long-term trends
Define alert thresholds based on baselined performance, not arbitrary values
Group resources using tags for easier monitor filtering

PreviousNAT Gateway should be setup for the VPC NextHow to resolve Sprinto check for monitoring Azure VM CPU

Last updated 6 months ago

hashtagMonitored Azure Services

hashtagDetailed Monitors and Resolution Steps

hashtag1. Azure SQL: CPU Utilisation Should Be Monitored

hashtag2. Azure SQL: Data Should Be Encrypted

hashtag3. Azure Storage: Secure Transfer Should Be Required

hashtag4. Azure Storage: Default Network Access Rule Should Be Deny

hashtag5. Azure NSG: Flow Logs Should Be Enabled

hashtag6. Azure Web Apps: Latest TLS Version Should Be Enforced

hashtagRemediating the Monitor in Sprinto

hashtagBest Practices