import { DocumentSource, SecurityDocument } from "../types.js";
export class AzureSource implements DocumentSource {
name = "Azure";
async fetchDocuments(): Promise<SecurityDocument[]> {
const documents: SecurityDocument[] = [];
try {
console.error("Fetching Azure Security documents...");
// Azure Security Best Practices Overview
documents.push({
id: "azure-security-best-practices",
source: "Azure",
title: "Azure Security Best Practices",
url: "https://learn.microsoft.com/en-us/azure/security/fundamentals/best-practices-and-patterns",
content: `Azure Security Best Practices encompass identity management, network security, data protection, and operational security. Key principles: Treat identity as the primary security perimeter using Azure AD/Entra ID. Implement Zero Trust architecture - never trust, always verify. Use defense in depth with multiple security layers. Enable centralized security management with Microsoft Defender for Cloud. Implement least privilege access using Azure RBAC. Enable MFA for all users, especially privileged accounts. Use managed identities for Azure resources to eliminate credential management. Implement network segmentation with VNets and NSGs. Enable encryption at rest and in transit. Implement logging and monitoring with Azure Monitor and Microsoft Sentinel. Use Azure Policy for governance and compliance. Enable Microsoft Defender for Cloud for threat protection. Implement secure DevOps practices with Azure DevOps security features.`,
category: "Cloud Security",
lastUpdated: new Date(),
metadata: { provider: "Azure" },
});
// Azure Identity and Access Management
documents.push({
id: "azure-identity-security",
source: "Azure",
title: "Azure Identity and Access Management Security",
url: "https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices",
content: `Azure Identity Security Best Practices using Microsoft Entra ID (formerly Azure AD). Enable Multi-Factor Authentication (MFA) for all users - this blocks 99.9% of account compromise attacks. Use Conditional Access policies to enforce access controls based on conditions like user location, device compliance, and risk level. Implement Privileged Identity Management (PIM) for just-in-time privileged access with approval workflows. Use managed identities for Azure resources - eliminates need for credentials in code. Enable Identity Protection for risk-based conditional access and automated remediation. Implement password protection to ban weak passwords organization-wide. Use single sign-on (SSO) to reduce password fatigue and improve security. Enable self-service password reset (SSPR) with MFA verification. Implement access reviews to regularly validate access rights. Use entitlement management for access lifecycle management. Enable sign-in logs and audit logs for monitoring. Block legacy authentication protocols that don't support MFA. Use security defaults or Conditional Access for baseline protection.`,
category: "Identity and Access",
lastUpdated: new Date(),
metadata: { service: "Entra ID" },
});
// Azure Network Security
documents.push({
id: "azure-network-security",
source: "Azure",
title: "Azure Network Security Best Practices",
url: "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices",
content: `Azure Network Security Best Practices for protecting cloud infrastructure. Use Network Security Groups (NSGs) to filter traffic to/from Azure resources - apply at subnet and NIC level. Implement Azure Firewall for centralized network security policy enforcement with threat intelligence. Use Azure DDoS Protection Standard for DDoS mitigation on virtual networks. Implement Azure Private Link to access Azure PaaS services over private endpoints. Use Azure Virtual Network (VNet) for network isolation and segmentation. Implement hub-spoke network topology for centralized security controls. Use Azure Bastion for secure RDP/SSH access without public IPs. Enable VNet service endpoints for secure access to Azure services. Implement Azure Front Door with WAF for global application security. Use Azure Application Gateway WAF for regional web application protection. Enable Network Watcher for network monitoring and diagnostics. Implement just-in-time (JIT) VM access to reduce attack surface. Use Azure ExpressRoute for private connectivity to on-premises. Enable flow logs for NSG traffic analysis.`,
category: "Network Security",
lastUpdated: new Date(),
metadata: { service: "Networking" },
});
// Microsoft Defender for Cloud
documents.push({
id: "azure-defender-cloud",
source: "Azure",
title: "Microsoft Defender for Cloud",
url: "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction",
content: `Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP). CSPM capabilities: Secure Score provides quantified security posture measurement. Security recommendations prioritize hardening actions. Regulatory compliance dashboards for standards like CIS, PCI DSS, ISO 27001. Cloud security graph for attack path analysis. CWPP capabilities: Defender for Servers protects Windows and Linux servers with EDR. Defender for Containers secures Kubernetes and container registries. Defender for Storage detects threats to storage accounts. Defender for SQL protects databases from threats. Defender for Key Vault monitors key vault access. Defender for App Service protects web applications. Defender for DNS detects DNS-layer threats. Features: Just-in-time VM access, adaptive application controls, file integrity monitoring, adaptive network hardening. Integrates with Microsoft Sentinel for SIEM/SOAR. Supports multi-cloud (AWS, GCP) and hybrid environments. Enable enhanced security features for comprehensive protection.`,
category: "Security Monitoring",
lastUpdated: new Date(),
metadata: { service: "Defender for Cloud" },
});
// Microsoft Sentinel
documents.push({
id: "azure-sentinel",
source: "Azure",
title: "Microsoft Sentinel SIEM/SOAR",
url: "https://learn.microsoft.com/en-us/azure/sentinel/overview",
content: `Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. Key capabilities: Data collection - connect to Microsoft and third-party sources using 100+ data connectors. Detection - use built-in and custom analytics rules, machine learning for threat detection. Investigation - investigate alerts using investigation graph, hunting queries, notebooks. Response - automate response with playbooks using Logic Apps. Key features: User and Entity Behavior Analytics (UEBA) for insider threat detection. Threat Intelligence integration for IOC matching. Watchlists for business context enrichment. Workbooks for visualization and reporting. Hunting queries using KQL for proactive threat hunting. Automation rules for alert handling. Best practices: Normalize data using ASIM parsers. Use scheduled analytics rules for detection. Implement tiered SOC response. Enable UEBA and entity pages. Create custom workbooks for monitoring. Integrate with Microsoft Defender XDR for unified security operations. Use content hub for out-of-box solutions.`,
category: "Security Operations",
lastUpdated: new Date(),
metadata: { service: "Sentinel" },
});
// Azure Key Vault
documents.push({
id: "azure-key-vault",
source: "Azure",
title: "Azure Key Vault Security Best Practices",
url: "https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices",
content: `Azure Key Vault securely stores secrets, keys, and certificates. Best practices: Use separate key vaults per application, per environment to limit blast radius. Enable soft-delete and purge protection to prevent accidental deletion. Use managed identities to access Key Vault - no credentials needed in code. Implement network restrictions using Private Endpoints and firewall rules. Enable Key Vault logging to Azure Monitor for audit trails. Use Azure RBAC for Key Vault data plane access control. Implement key rotation policies for automatic key rotation. Use HSM-backed keys for high-security scenarios (Key Vault Premium or Managed HSM). Enable Azure Private Link to keep traffic on Microsoft network. Set appropriate access policies following least privilege. Use Key Vault references in App Service and Azure Functions. Monitor Key Vault availability and latency. Implement disaster recovery with Key Vault backup. Use Azure Policy to enforce Key Vault configuration standards. Enable Microsoft Defender for Key Vault for threat detection.`,
category: "Cryptography",
lastUpdated: new Date(),
metadata: { service: "Key Vault" },
});
// Azure Storage Security
documents.push({
id: "azure-storage-security",
source: "Azure",
title: "Azure Storage Security Best Practices",
url: "https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations",
content: `Azure Storage Security Best Practices protect data in Blob, File, Queue, and Table storage. Data protection: Enable encryption at rest (default with Microsoft-managed keys, optional customer-managed keys). Require secure transfer (HTTPS only). Enable infrastructure encryption for double encryption. Use immutable storage for WORM compliance. Enable soft delete and versioning for data recovery. Access control: Disable shared key access, use Azure AD authentication. Use SAS tokens with minimal scope and short expiration. Implement stored access policies for SAS management. Use Azure Private Endpoints for private access. Enable firewall rules to restrict network access. Use Azure RBAC for fine-grained access control. Monitoring: Enable Azure Storage analytics logging. Use Microsoft Defender for Storage for threat detection. Monitor with Azure Monitor metrics and alerts. Implement lifecycle management for data retention. Best practices: Block public access at storage account level. Use customer-managed keys for sensitive data. Enable versioning and soft delete. Implement data classification and handling procedures.`,
category: "Storage Security",
lastUpdated: new Date(),
metadata: { service: "Storage" },
});
// Azure Kubernetes Security
documents.push({
id: "azure-kubernetes-security",
source: "Azure",
title: "Azure Kubernetes Service (AKS) Security",
url: "https://learn.microsoft.com/en-us/azure/aks/concepts-security",
content: `Azure Kubernetes Service (AKS) Security encompasses cluster, network, and workload protection. Cluster security: Use Azure AD integration for authentication. Implement Azure RBAC for Kubernetes authorization. Enable AKS-managed Azure AD for simplified integration. Use managed identities for cluster and pod identity. Keep Kubernetes version updated. Enable Defender for Containers for runtime protection. Network security: Use Azure CNI for VNet integration. Implement network policies for pod-to-pod traffic control. Use private clusters to disable public API endpoint. Enable Azure Private Link for private access. Use Azure Firewall or third-party NVA for egress filtering. Workload security: Use Azure Policy for Kubernetes to enforce pod security. Scan container images with Defender for Container Registries. Implement pod security standards. Use secrets from Key Vault with CSI driver. Enable Azure AD workload identity for pod authentication. Implement resource quotas and limit ranges. Use namespaces for multi-tenancy isolation. Enable Azure Monitor Container Insights for visibility.`,
category: "Container Security",
lastUpdated: new Date(),
metadata: { service: "AKS" },
});
// Zero Trust with Azure
documents.push({
id: "azure-zero-trust",
source: "Azure",
title: "Zero Trust Security with Azure",
url: "https://learn.microsoft.com/en-us/security/zero-trust/azure-infrastructure-overview",
content: `Zero Trust Security architecture implementation with Azure services. Core principles: Verify explicitly - always authenticate and authorize based on all available data points. Use least privilege access - limit user access with Just-In-Time and Just-Enough-Access. Assume breach - minimize blast radius, segment access, verify end-to-end encryption, use analytics for visibility. Identity pillar: Use Microsoft Entra ID for identity foundation. Enable MFA and Conditional Access. Implement PIM for privileged access. Use passwordless authentication. Endpoints pillar: Require device compliance with Intune. Use Conditional Access device policies. Enable Microsoft Defender for Endpoint. Network pillar: Implement microsegmentation with NSGs. Use Azure Firewall for centralized policy. Enable Private Link for service access. Data pillar: Classify and label data with Microsoft Purview. Implement encryption everywhere. Use Azure Information Protection. Infrastructure pillar: Use Azure Policy for compliance. Enable Microsoft Defender for Cloud. Implement just-in-time access. Monitor with Microsoft Sentinel.`,
category: "Zero Trust",
lastUpdated: new Date(),
metadata: { framework: "Zero Trust" },
});
// Azure Compliance
documents.push({
id: "azure-compliance",
source: "Azure",
title: "Azure Compliance and Governance",
url: "https://learn.microsoft.com/en-us/azure/governance/",
content: `Azure Governance and Compliance tools help organizations meet regulatory requirements. Azure Policy: Define and enforce organizational standards. Built-in policy definitions for common scenarios. Policy initiatives group related policies. Remediation tasks fix non-compliant resources. Regulatory compliance built-in initiatives (CIS, NIST, PCI DSS, HIPAA). Azure Blueprints: Package ARM templates, policies, RBAC, and resource groups. Versioned, deployable artifacts for environment standardization. Management Groups: Organize subscriptions hierarchically. Apply governance at scale. Inherit policies and RBAC across subscriptions. Microsoft Purview: Data governance and compliance. Data classification and labeling. Data loss prevention (DLP). eDiscovery and legal hold. Insider risk management. Information protection. Compliance Manager: Assess compliance posture. Track improvement actions. Generate compliance reports. Map controls to regulations. Best practices: Start with landing zone architecture. Implement policy-as-code. Use tags for resource organization. Enable resource locks for critical resources.`,
category: "Compliance",
lastUpdated: new Date(),
metadata: { service: "Governance" },
});
// Azure DevSecOps
documents.push({
id: "azure-devsecops",
source: "Azure",
title: "Azure DevSecOps Security",
url: "https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-security-identity",
content: `Azure DevSecOps integrates security throughout the software development lifecycle. Secure Development: Use Microsoft Security DevOps extension for GitHub and Azure DevOps. Enable GitHub Advanced Security or Azure DevOps Advanced Security. Implement secret scanning to prevent credential leaks. Use dependency scanning for vulnerable packages. Enable code scanning with CodeQL for SAST. Container Security: Scan container images in Azure Container Registry. Use Microsoft Defender for Container Registries. Implement image signing and verification. Use distroless or minimal base images. Infrastructure as Code Security: Scan ARM templates, Bicep, and Terraform with tools like Checkov. Use Azure Policy for IaC compliance. Implement template specs for approved patterns. CI/CD Pipeline Security: Use service connections with managed identities. Implement pipeline approvals and gates. Enable audit logging for pipeline activities. Use environment protection rules. Secrets Management: Store secrets in Azure Key Vault. Use variable groups linked to Key Vault. Never store secrets in code or pipeline definitions.`,
category: "Application Security",
lastUpdated: new Date(),
metadata: { service: "DevOps" },
});
console.error(`Fetched ${documents.length} Azure documents`);
} catch (error) {
console.error("Error fetching Azure documents:", error);
}
return documents;
}
}
