Understand the Azure Compliance Reports
Lacework provides out of the box reports for different benchmarks.
To populate the Azure data viewed in this page, you must configure an integration to at least one Azure Subscription within an Azure Tenant. For more information, see Integrate Lacework with Azure.
While the Compliance Dashboard provides a great overview of your accounts and resources, the Compliance Reports page provides detailed compliance information to help you take corrective action. The Compliance Reports page provides you with the ability to drill-down into details about your security posture such as control rules recommendations and the associated non-compliance resources that are in violation.
Note: You can run a compliance report a maximum of 100 times per day.
Select Compliance > Azure > Reports in the Lacework Console to display the Azure Compliance Reports page. The following drop-downs control the output displayed in the compliance report page:
- Report Type
- Report Date
Use the Report Type drop-down to select one of following types of report or benchmarks to report on:
- Azure CIS Benchmark
- Azure PCI Benchmark
- Azure SOC 2 Report
Use the Tenant drop-down and text field to specify the high level Azure Tenant to report on. You can select a specific Tenant or you can enter text in this field to immediately start searching by Tenant name or Tenant ID.
Use the Subscription drop-down and text field to specify the specific Azure Subscription to report on. You can select a specific Azure Subscription or you can enter text in this field to immediately start searching by Subscription name or Subscription ID.
Use the Report Date drop-down and text field to specify the compliance report run to report on enter text in this field to immediately start searching for a report run. For example, enter '2/' to find all the reports in February. By default, the latest report is selected and displayed. These reports can be useful to review specified points in time that correlate to your security posture at the provided date/time.
After you specify a Report Type, Tenant, Subscription, and Report Date, the reports page displays corresponding compliance assessment data. A graph outlines the number of non-compliant recommendations by severity. The report displays a count of non-compliant recommendations with the correlated number of assessed and suppressed. It also displays a count of non-compliant resources with the correlated number of assessed and suppressed is reported. This data helps to identify if you are assessing by recommendation or resource.
Use the Recommendation Status drop-down filter below the visual graph and compliance report calculations to limit the output of the compliance report page by compliance status. For example, select Non-Compliant to limit the result to only those recommendations that are determined to be not compliant when the selected compliance assessment run occurred.
By default, the Recommendation Status drop-down is set to view All, however, you can select one of the following recommendation status filter options: Non-Compliant, Compliant, Suppressed, Manual, or Could Not Assess.
Select the Recommendation Severity checkboxes to the right of the Recommendation Status drop-down to filter limit the recommendations reported on the page by severity. For example, select just the Critical checkbox to list only critical recommendations.
Click the Download Report icon to initiate a download of the currently open compliance report in PDF format. Like the Lacework Console, the PDF displays one recommendation per row and its status, compliant/non-compliant/suppressed/manual.
Click the Download CSV Report icon to initiate a download of report data about the currently open compliance report in the CSV (comma-separated value) format. You can use the CSV file to import the report data into other tools such as spreadsheets or databases. The CSV data differs from the PDF data in following ways:
- The CSV contains Non-Compliant resources and Suppressed resources.
- Each CSV row represents one resource, so there could be multiple rows for the same resource.
- Each row in the PDF represents one recommendation (i.e. each row represents the data correlated to one benchmark control rule).
- The PDF groups resources together by recommendation.
The CSV flattens the resources.
Row 1: RecId_1, Non-Compliant
Row1: RecId_1, Resource_1, Non-Compliant
Row2: RecId_1, Resource_2, Non-Compliant
Row3: RecId_1, Resource_3, Non-Compliant
Both download options are useful for providing reports to others in your organization that are responsible for remediating the non-compliant resources in violation.
Lacework runs a complete compliance assessment run for all accounts on a regular schedule, typically once a day. For more information on configuring your report schedulding, see Compliance Report Schedule.
To immediately initiate a compliance assessment run for a single account, which occurs outside the regular schedule, click the Run a new report icon. Pending displays next to the icon. The assessment may take some time to run. After the assessment completes, Pending stops displaying.
You can also verify that an assessment run for a single account is complete by looking at the drop-down options available under Report Date. The newest drop-down assessment run is the top Report Date drop-down item and is labeled with (Latest).
|ID||Displays the unique identifier for the recommendation, for example: Azure_CIS_2_6 is the ID for the Azure CIS Benchmark 1.0 control rule 2.6.|
|Recommendation||Displays the description of the recommendation.|
|Status||Displays the status of the recommendation/control rule at the selected report date: 1) Non-Compliant—During the assessment that occurred during the selected report run, this recommendation was not in compliance. It was in violation of the recommendation. 2) Compliant—During the assessment that occurred during the selected report run, this recommendation was in compliance. 3) Suppressed—During the assessment that occurred during the selected report run, this recommendation was completely suppressed. 4) Manual—There is no way to determine if the recommendation is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in Azure. For more information, see the remediation provided in Additional Info of the Actions column as described below. 5) Could Not Assess—Lacework encountered a problem while attempting to assess this recommendation. Examples may include: the correct privileges have not been granted; disabled API endpoints; invalid permissions to specific endpoints; API rate limiting; sustained API quota exceeds; network traffic issues; Azure cloud outages.|
|Severity||Displays the severity of the recommendation: Critical, High, Medium, Low or Info.|
|Affected||Displays the total number of resources assessed as non-compliant (in violation) for this recommendation.|
|Assessed||Displays the total number of resources assessed for this recommendation.|
|Actions||Click the (more) icon, to reveal the following additional functionality: Additional Info provides additional information/documentation on the recommendation such as a description, rationale, audit, and remediation. Advanced Suppression optionally configures suppression of this recommendation.|
You can expand a recommendation that has a violation to view any non-compliant resources. Click a resource name to open that resource's details within Lacework Resource Inventory.
To sort by a column, click the column header, for example, if you want to sort the recommendations of a table by severity, click Severity in the column header.