# Azure

Sprinto integrates with Microsoft Azure to monitor infrastructure-level controls and resource security configurations. These monitors ensure that core services such as storage, databases, and web apps are correctly configured to meet compliance requirements and organisational policies.

This article outlines the Azure-specific infrastructure monitors tracked by Sprinto, the configuration steps for each, and how to resolve failing monitors.

***

### Monitored Azure Services

Sprinto evaluates the following Azure services for infrastructure and configuration compliance:

1. **Azure SQL Database**
2. **Azure Storage Accounts**
3. **Azure Network Security Groups (NSGs)**
4. **Azure Web Apps**

***

### Detailed Monitors and Resolution Steps

#### 1. **Azure SQL: CPU Utilisation Should Be Monitored**

* **What it checks**:\
  Azure Monitor is configured to track high CPU usage on SQL Databases.
* **How to resolve**:
  1. Go to **Azure Portal > Monitor > Alerts > New Alert Rule**.
  2. Select **Resource** (SQL database) → Choose **Metric: CPU percentage**.
  3. Set a condition (e.g., >80% for 5 minutes).
  4. Define an action group (email, webhook, etc.).
  5. Save and enable the alert.

***

#### 2. **Azure SQL: Data Should Be Encrypted**

* **What it checks**:\
  Transparent Data Encryption (TDE) is enabled on SQL Databases.
* **How to resolve**:
  1. Navigate to **SQL Server > Transparent Data Encryption**.
  2. Ensure **TDE status** is set to **Enabled**.
  3. Choose **Service-managed key** or **Customer-managed key**.
  4. Save the settings.

***

#### 3. **Azure Storage: Secure Transfer Should Be Required**

* **What it checks**:\
  Ensures the storage account enforces secure (HTTPS-only) connections.
* **How to resolve**:
  1. Go to **Storage Accounts > Configuration**.
  2. Set **Secure transfer required** to **Enabled**.
  3. Click **Save**.

***

#### 4. **Azure Storage: Default Network Access Rule Should Be Deny**

* **What it checks**:\
  Blocks public access unless explicitly allowed.
* **How to resolve**:
  1. Go to **Storage Accounts > Networking**.
  2. Under **Firewalls and virtual networks**, set:
     * **Public access**: Disabled
     * **Default action**: Deny
  3. Save changes.

***

#### 5. **Azure NSG: Flow Logs Should Be Enabled**

* **What it checks**:\
  Captures NSG traffic logs for network analysis.
* **How to resolve**:
  1. Navigate to **NSG > Diagnostic settings**.
  2. Click **Add diagnostic setting**.
  3. Select **Flow logs**, choose a **Storage account** or **Log Analytics workspace**.
  4. Enable retention and save.

***

#### 6. **Azure Web Apps: Latest TLS Version Should Be Enforced**

* **What it checks**:\
  Web apps are using TLS 1.2 or higher.
* **How to resolve**:
  1. Go to **App Services > Configuration > General settings**.
  2. Set **Minimum TLS version** to **1.2** or **1.3**.
  3. Click **Save**.

***

### Remediating the Monitor in Sprinto

* Sprinto auto-updates the monitor status for integrated services.
* For manual checks:
  * Upload screenshots of your Azure Portal settings
  * Attach relevant policy JSONs or diagnostic exports
* Use **Mark as Resolved** after completing remediation

***

### Best Practices

* Standardise configurations using **Azure Policy**
* Use **Log Analytics** and **Diagnostic Settings** to track long-term trends
* Define alert thresholds based on baselined performance, not arbitrary values
* Group resources using tags for easier monitor filtering