Azure Monitor 的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Monitor

此页是 Azure Monitor 的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Monitor. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure MonitorAzure Monitor

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
[预览版]:审核 Log Analytics 代理部署 - VM 映像 (OS) 未列出[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.0-preview1.0.0-preview
活动日志至少应保留一年Activity log should be retained for at least one year 此策略审核活动日志的保留期是否未设置为365 天或永久(保留天数设置为 0)。This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
特定管理操作应有活动日志警报An activity log alert should exist for specific Administrative operations 此策略审核未配置任何活动日志警报的特定管理操作。This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
特定策略操作应有活动日志警报An activity log alert should exist for specific Policy operations 此策略审核未配置任何活动日志警报的特定策略操作。This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
特定安全操作应有活动日志警报An activity log alert should exist for specific Security operations 此策略审核未配置任何活动日志警报的特定安全操作。This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
审核 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则报告 VM 不合规。Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核虚拟机规模集中的 Dependency Agent 部署 - VM 映像 (OS) 未列出Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核诊断设置Audit diagnostic setting 审核所选资源类型的诊断设置。Audit diagnostic setting for selected resource types AuditIfNotExistsAuditIfNotExists 1.0.01.0.0
审核虚拟机规模集中的 Log Analytics 代理部署 - VM 映像 (OS) 未列出Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted 如果 VM 映像 (OS) 不在定义的列表中且未安装代理,则将虚拟机规模集报告为“不合规”。Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. auditIfNotExistsauditIfNotExists 1.0.11.0.1
审核 VM 的 Log Analytics 工作区 — 报告不匹配Audit Log Analytics workspace for VM - Report Mismatch 如果 VM 未记录到策略/计划分配中指定的 Log Analytics 工作区,则将 VM 报告为“不合规”。Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. 审核audit 1.0.11.0.1
Azure Monitor 日志配置文件应收集“写入”、“删除”和“操作”类别的日志Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' 此策略可确保日志配置文件收集类别为 "write"、"delete" 和 "action" 的日志This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure Monitor 应从所有区域收集活动日志Azure Monitor should collect activity logs from all regions 此策略审核不从所有 Azure 支持区域(包括全局)导出活动的 Azure Monitor 日志配置文件。This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
必须部署 Azure Monitor 解决方案“安全和审核”Azure Monitor solution 'Security and Audit' must be deployed 此策略可确保“安全和审核”已部署。This policy ensures that Security and Audit is deployed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure 订阅应有用于活动日志的日志配置文件Azure subscriptions should have a log profile for Activity Log 此策略确保启用一个日志配置文件来导出活动日志。This policy ensures if a log profile is enabled for exporting activity logs. 它会审核是否未创建日志配置文件将日志导出到存储帐户或事件中心。It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
为 Linux 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Linux 虚拟机部署 Dependency AgentDeploy Dependency agent for Linux virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Linux 虚拟机部署 Dependency Agent。Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机规模集部署 Dependency AgentDeploy Dependency agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Dependency Agent。Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“Manual”,你则需要通过对规模集调用升级将扩展应用到集中的所有虚拟机。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. 在 CLI 中,这将是 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
为 Windows 虚拟机部署 Dependency AgentDeploy Dependency agent for Windows virtual machines 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,则为 Windows 虚拟机部署 Dependency Agent。Deploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.2.11.2.1
将 Batch 帐户的诊断设置部署到事件中心Deploy Diagnostic Settings for Batch Account to Event Hub 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Batch 帐户的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Batch Account to Log Analytics workspace 在创建或更新缺少 Batch 帐户的诊断设置的任何 Batch 帐户时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将 Data Lake Analytics 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Analytics to Event Hub 在创建或更新缺少 Data Lake Analytics 的诊断设置的任何 Data Lake Analytics 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Data Lake Analytics 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Analytics 时,部署 Data Lake Analytics 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将 Data Lake Storage Gen1 的诊断设置部署到事件中心Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub 在创建或更新缺少 Data Lake Storage Gen1 的诊断设置的任何 Data Lake Storage Gen1 时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将 Data Lake Storage Gen1 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace 创建或更新缺少此诊断设置的任何 Data Lake Storage Gen1 时,部署 Data Lake Storage Gen1 的诊断设置以流式传输到区域 Log Analytics 工作区。Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将事件中心的诊断设置部署到事件中心Deploy Diagnostic Settings for Event Hub to Event Hub 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.1.02.1.0
将事件中心的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Event Hub to Log Analytics workspace 在创建或更新缺少事件中心的诊断设置的任何事件中心时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.1.01.1.0
将 Key Vault 的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Key Vault to Log Analytics workspace 在创建或更新缺少 Key Vault 的诊断设置的 Key Vault 时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将逻辑应用的诊断设置部署到事件中心Deploy Diagnostic Settings for Logic Apps to Event Hub 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将逻辑应用的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace 在创建或更新缺少逻辑应用的诊断设置的任何逻辑应用时,将此诊断设置流式部署到 Log Analytics 工作区。Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
为网络安全组部署诊断设置Deploy Diagnostic Settings for Network Security Groups 此策略自动将诊断设置部署到网络安全组。This policy automatically deploys diagnostic settings to network security groups. 将自动创建名为“{storagePrefixParameter}{NSGLocation}”的存储帐户。A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExistsdeployIfNotExists 1.0.01.0.0
将搜索服务的诊断设置部署到事件中心Deploy Diagnostic Settings for Search Services to Event Hub 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将搜索服务的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Search Services to Log Analytics workspace 在创建或更新缺少搜索服务的诊断设置的任何搜索服务时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将服务总线的诊断设置部署到事件中心Deploy Diagnostic Settings for Service Bus to Event Hub 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将服务总线的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Service Bus to Log Analytics workspace 在创建或更新缺少服务总线的诊断设置的任何服务总线时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
将流分析的诊断设置部署到事件中心Deploy Diagnostic Settings for Stream Analytics to Event Hub 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 2.0.02.0.0
将流分析的诊断设置部署到 Log Analytics 工作区Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace 在创建或更新缺少流分析的诊断设置的任何流分析时,将此诊断设置流式部署到区域 Log Analytics 工作区。Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists、DisabledDeployIfNotExists, Disabled 1.0.01.0.0
为 Linux 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Linux virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. 注意:如果规模集 upgradePolicy 设置为“Manual”,则需要通过对规模集调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Linux VM 部署 Log Analytics 代理Deploy Log Analytics agent for Linux VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Linux VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows 虚拟机规模集部署 Log Analytics 代理Deploy Log Analytics agent for Windows virtual machine scale sets 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows 虚拟机规模集部署 Log Analytics 代理。Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. 注意:如果规模集 upgradePolicy 设置为“手动”,则需要通过对 VM 调用升级将扩展应用到集中的所有 VM。Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. 在 CLI 中,此命令为 az vmss update-instances。In CLI this would be az vmss update-instances. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
为 Windows VM 部署 Log Analytics 代理Deploy Log Analytics agent for Windows VMs 如果 VM 映像 (OS) 位于定义的列表中且未安装代理,请为 Windows VM 部署 Log Analytics 代理。Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. OS 映像列表将随着支持的更新而不断更新。The list of OS images will be updated over time as support is updated. deployIfNotExistsdeployIfNotExists 1.0.11.0.1
应在 Linux 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Linux virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
应在 Windows 虚拟机上安装网络流量数据收集代理Network traffic data collection agent should be installed on Windows virtual machines 安全中心使用 Microsoft Dependency Agent 从 Azure 虚拟机收集网络流量数据,以启用高级网络保护功能,如网络映射上的流量可视化、网络强化建议和特定网络威胁。Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.1-preview1.0.1-preview
必须使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密Storage account containing the container with activity logs must be encrypted with BYOK 此策略审核是否已使用 BYOK 对包含具有活动日志的容器的存储帐户进行加密。This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. 仅当存储帐户在设计上依赖于与活动日志相同的订阅时,此策略才起作用。The policy works only if the storage account lies on the same subscription as activity logs by design. 有关 Azure 存储静态加密的详细信息,请参阅 https://docs.azure.cn/storage/common/storage-encryption-keys-portalMore information on Azure Storage encryption at rest can be found here https://docs.azure.cn/storage/common/storage-encryption-keys-portal. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机规模集上安装 Log Analytics 代理The Log Analytics agent should be installed on Virtual Machine Scale Sets 此策略审核是否有任何 Windows/Linux 虚拟机规模集未安装 Log Analytics 代理。This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在虚拟机上安装 Log Analytics 代理The Log Analytics agent should be installed on virtual machines 此策略审核是否有任何 Windows/Linux 虚拟机未安装 Log Analytics 代理。This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0

后续步骤Next steps