Generic Filters¶
These filters can be applied to a specific resource type, such as azure.vm, or they can be
applied to all Azure resources by using azure.armresource as the resource type.
Metric Filter¶
MetricFilter
Filters Azure resources based on live metrics from the Azure monitor.
properties:
aggregation:
enum:
- total
- average
filter:
type: string
interval:
enum:
- PT1M
- PT5M
- PT15M
- PT30M
- PT1H
- PT6H
- PT12H
- P1D
metric:
type: string
no_data_action:
enum:
- include
- exclude
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
threshold:
type: number
timeframe:
type: number
type:
enum:
- metric
required:
- type
- metric
- op
- threshold
Metrics for Custodian-supported Azure resources:
Click here for a full list of metrics supported by Azure resources.
Example Policies¶
Find VMs with an average Percentage CPU greater than or equal to 75% over the last 12 hours
policies:
- name: find-busy-vms
resource: azure.vm
filters:
- type: metric
metric: Percentage CPU
aggregation: average
op: ge
threshold: 75
timeframe: 12
Find KeyVaults with more than 1000 API hits in the last hour
policies:
- name: keyvault-hits
resource: azure.keyvault
filters:
- type: metric
metric: ServiceApiHit
aggregation: total
op: gt
threshold: 1000
timeframe: 1
Find SQL servers with less than 10% average DTU consumption across all databases over last 24 hours
policies:
- name: dtu-consumption
resource: azure.sqlserver
filters:
- type: metric
metric: dtu_consumption_percent
aggregation: average
op: lt
threshold: 10
timeframe: 24
filter: "DatabaseResourceId eq '*'"
Tag Filter¶
The “tag filter” is implicitly just the ValueFilter (see Generic Filters). It can be used to filter resources on the presence, absence or value of a tag.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Example Policies¶
This policy will delete all ARM resources with the tag ‘Tag1’ present
policies
- name: delete-resources-with-Tag1
resource: azure.armresource
filters:
- tag:Tag1: present
actions:
- type: delete
This policy will find all VMs with the tag ‘Tag1’ absent
policies
- name: find-vms-without-Tag1
resource: azure.vm
filters:
- tag:Tag1: absent
This policy will find all CosmosDBs with the tag ‘Tag1’ and value ‘Value1’
policies
- name: find-cosmosdb-tag-value
resource: azure.cosmosdb
filters:
- tag:Tag1: Value1
Marked-For-Op Filter¶
marked-for-opFilters Azure resources based on previously scheduled operations via tags.
properties: op: type: string skew: minimum: 0 type: number skew_hours: minimum: 0 type: number tag: type: string type: enum: - marked-for-op tz: type: string required: - type
Example Policies¶
Find VMs that have been marked for stopping and stop them
policies
- name: find-vms-to-stop
resource: azure.vm
filters:
- type: marked-for-op
op: stop
actions:
- type: stop
Find VMs that have been marked for stopping tomorrow and notify user@domain.com
policies
- name: find-vms-to-stop
resource: azure.vm
filters:
- type: marked-for-op
# 'Fast-forward' 1 day into future. skew_hours is used for hour increments
skew: 1
op: stop
actions:
- type: notify
template: default
subject: VMs Scheduled To Stop
to:
- user@domain.com
transport:
- type: asq
queue: https://accountname.queue.core.windows.net/test
Cancel operation on resource marked for operation
policies
- name: find-vms-to-stop
resource: azure.resourcegroup
filters:
- type: marked-for-op
op: delete
# custodian_status is default tag, but can be configured
tag: custodian_status
actions:
- type: untag
tags: ['custodian_status']
Diagnostic Settings Filter¶
DiagnosticSettingsFilter
The diagnostic settings filter is implicitly just the ValueFilter (see Generic Filters) on the diagnostic settings for
an azure resource.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- diagnostic-settings
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Example Policies¶
Find Load Balancers that have logs for both LoadBalancerProbeHealthStatus category and LoadBalancerAlertEvent category enabled. The use of value_type: swap is important for these examples because it swaps the value and the evaluated key so that it evaluates the value provided is in the logs.
policies
- name: find-load-balancers-with-logs-enabled
resource: azure.loadbalancer
filters:
- type: diagnostic-settings
key: logs[?category == 'LoadBalancerProbeHealthStatus'][].enabled
value: True
op: in
value_type: swap
- type: diagnostic-settings
key: logs[?category == 'LoadBalancerAlertEvent'][].enabled
value: True
op: in
value_type: swap
Find KeyVaults that have logs enabled for the AuditEvent category.
policies
- name: find-keyvaults-with-logs-enabled
resource: azure.keyvault
filters:
- type: diagnostic-settings
key: logs[?category == 'AuditEvent'][].enabled
value: True
op: in
value_type: swap