Exploring My Recent Template Collection: A Comprehensive Guide

By /

I’ve recently published a new GitHub repository—Azure Security Assessment Templates—that bundles practical templates, checklists, policies, and automation to help teams assess and strengthen Azure environments. It’s designed for real projects: clear structure, fast onboarding, and opinionated defaults that align with common frameworks like ISO/IEC 27001 and SOC 2, plus Azure best practices.

Browse the repository on GitHub ·
Quick-Start ·
Architecture ·
Sentinel docs

By the numbers

This isn’t just another collection of templates—it’s an enterprise-grade platform built for serious security work:

  • 186+ files spanning assessments, compliance, monitoring, and automation
  • 93 ISO 27001 controls with implementation guidance and evidence templates
  • 60+ SOC 2 control activities across all five Trust Service Categories
  • 51 Microsoft Sentinel components including analytics rules, data connectors, and playbooks
  • 74+ CI/CD pipeline files for GitHub Actions, Azure DevOps, and GitLab CI
  • 300+ data connector capabilities spanning Azure, AWS, GCP, and Microsoft 365
  • 15-minute deployment from clone to operational baseline with 15+ policies active

What is it and who is it for?

This collection gives security, cloud, and DevOps teams a ready-to-use foundation for Azure security assessments and continuous monitoring. If you regularly prepare for audits, need consistent evidence, or want to standardize your Azure security workflows, this is for you. Whether you’re a security consultant delivering assessments to multiple clients, an internal security team building compliance programs, or a DevOps engineer implementing security gates, this repository provides the structured foundation you need.

What makes this different?

  • Infrastructure-as-Code first: Everything deployable via Bicep/ARM templates and automation scripts—no manual portal clicking required.
  • Multi-framework alignment: Pre-mapped controls for ISO 27001, SOC 2, and Microsoft Cloud Security Benchmark in one unified platform.
  • End-to-end workflow: Complete coverage from initial assessment planning through implementation, validation, monitoring, and final reporting.
  • Enterprise battle-tested: Patterns and templates refined through real-world implementations across financial services, healthcare, and technology sectors.
  • Open source MIT license: Full customization freedom—fork, modify, and adapt to your organization’s specific needs.
  • Active maintenance: Regular updates to align with evolving Azure services, compliance frameworks, and threat landscapes.

Highlights at a glance

  • Enterprise-grade coverage: a structured, multi-folder repository with templates for assessments, reporting, CI/CD, policy as code, and Azure Sentinel (Microsoft Sentinel) content.
  • Compliance alignment: mappings and templates for ISO/IEC 27001 and SOC 2, plus Microsoft Cloud Security Benchmark alignment in Best Practices.
  • Automation-first: deployment scripts, policy baselines, CI/CD gates, and Sentinel content to get from “empty” to “monitored” quickly.
  • Built for teams: role checklists, RACI matrices, runbooks, and report scaffolding to drive a consistent assessment workflow end-to-end.

Repository structure (what you get)

The repo is organized so you can find the right artifact quickly:

  • Assessment/ – plan, questionnaires, methodology, architecture review checklists, scoring model.
  • Compliance/ – ISO 27001 and SOC 2 mappings, SoA and ISMS scope templates, evidence lists.
  • Policies/ – Azure Policy definitions/initiatives and guidance to enforce controls by code.
  • Sentinel/ – Microsoft Sentinel analytics rules, playbooks, data connectors, monitoring, and deployment artifacts.
  • Pipelines/ – GitHub Actions, Azure DevOps, and GitLab CI templates for security scanning and gates.
  • Checklists/, Roles/, Runbooks/, Report/ – hand-offs for roles, operational procedures, and reporting templates.
  • Standards/, BestPractices/ – internal standards and MCSB-aligned guidance.
  • Scripts/ – quick deployment and helper scripts (e.g., baseline rollout).
  • Artifacts/ – risk registers, threat models, and remediation tracking templates.

Architecture & design principles

Deployment models

The repository supports two primary deployment patterns to match your organizational structure:

  • Single-subscription model: Centralizes all management and security resources within one subscription, ideal for small to medium organizations. Security resource groups sit alongside application resources with centralized policy enforcement and RBAC.
  • Multi-subscription enterprise model: Hierarchical structure using Azure management groups (Root → Production/Non-Production/Platform) with centralized security infrastructure. A dedicated security subscription hosts Log Analytics, Sentinel, and Key Vault, aggregating data from all child subscriptions.

Defense in depth

The framework implements seven security layers aligned with Azure’s defense-in-depth model:

  1. Physical security: Azure datacenter protections (Microsoft-managed)
  2. Identity & access: Azure AD with MFA, conditional access, and privileged identity management
  3. Perimeter: Azure Firewall, Application Gateway with WAF, DDoS Protection
  4. Network: Network Security Groups, private endpoints, service endpoints, micro-segmentation
  5. Compute: Microsoft Defender for Cloud, just-in-time VM access, disk encryption
  6. Application: Secure development practices, vulnerability scanning, API security
  7. Data: Encryption at rest and in transit, Azure Key Vault, data loss prevention

Each layer includes preventive, detective, and corrective controls mapped to your chosen compliance framework.

Zero Trust principles

All templates align with Microsoft’s Zero Trust architecture:

  • Verify explicitly: Always authenticate and authorize based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
  • Least privilege access: Just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to minimize blast radius.
  • Assume breach: Minimize blast radius through network segmentation, end-to-end encryption, analytics for threat detection, and automated threat response.

Network architecture

The reference architecture implements a hub-spoke topology:

  • Hub: Central network with Azure Firewall, VPN Gateway, and Azure Bastion for secure connectivity
  • Spokes: Segregated networks for identity services, management tools, and application workloads
  • Private endpoints: Applications communicate with databases and storage through private endpoints mapped to private DNS zones, eliminating public internet exposure
  • Centralized routing: All traffic flows through hub security appliances for inspection and policy enforcement

Microsoft Sentinel: Enterprise SIEM & SOAR

The Sentinel implementation is one of the repository’s most comprehensive components, providing cloud-native security monitoring and automated response capabilities.

Core capabilities

  • 51 pre-built components: Analytics rules, data connectors, Logic App playbooks, workbooks, parsers, and watchlists
  • 300+ data connector support: Native Azure services, CEF/Syslog protocols for third-party tools, and custom API-based connectors via Azure Functions
  • UEBA (User and Entity Behavior Analytics): Machine learning-powered behavioral anomaly detection to identify insider threats and compromised accounts
  • Fusion ML: Advanced attack correlation across multiple signals to detect sophisticated multi-stage attacks
  • MITRE ATT&CK mapping: All analytics rules mapped to MITRE framework tactics and techniques for structured threat intelligence
  • ASIM (Advanced Security Information Model): Standardized schema for consistent querying across heterogeneous data sources

Multi-cloud integration

Built-in connectors for comprehensive security monitoring:

  • Azure: Activity logs, Azure AD, Key Vault, Storage, Network Security Groups, Application Gateway
  • AWS: CloudTrail, VPC Flow Logs, GuardDuty findings
  • GCP: Cloud Audit Logs, Security Command Center
  • Microsoft 365: Office 365, Exchange Online, SharePoint, Teams, Defender for Endpoint
  • Third-party: Common Event Format (CEF) and Syslog integration for firewalls, proxies, and legacy systems

Automated incident response

Logic Apps-based playbooks orchestrate responses across the incident lifecycle:

  • Enrichment playbooks: Automatically gather context from threat intelligence feeds, IP reputation databases, and user directories
  • Containment playbooks: Disable compromised accounts, isolate infected VMs, block malicious IPs at firewall
  • Notification playbooks: Alert SOC teams via Teams/Slack, create ServiceNow tickets, escalate to on-call engineers
  • Remediation playbooks: Reset user credentials, revoke session tokens, apply security patches, update NSG rules

Workspace sizing guidance

Choose appropriate Log Analytics workspace tier based on daily ingestion:

  • Small (5-50 GB/day): Single workspace, suitable for organizations with 100-500 users
  • Medium (50-500 GB/day): Dedicated workspace per region or business unit, supports 500-5,000 users
  • Large (500 GB-5 TB/day): Multi-workspace with aggregation, serves 5,000-50,000 users
  • Enterprise (5+ TB/day): Distributed architecture with dedicated commitment tiers for cost optimization

CI/CD security integration

The repository includes comprehensive pipeline templates with integrated security scanning tools to catch issues before production.

Security scanning tools

  • Checkov: Infrastructure-as-Code static analysis for Terraform, CloudFormation, Kubernetes, ARM templates, and Bicep. Detects misconfigurations against 1,000+ built-in policies.
  • Trivy: Comprehensive vulnerability and misconfiguration scanner for container images, filesystems, and Git repositories. Scans OS packages, language-specific dependencies, and IaC files.
  • Gitleaks: Fast, lightweight secret detection tool that scans git repositories for hardcoded credentials, API keys, tokens, and private keys using 200+ regex patterns.
  • CodeQL: Semantic code analysis engine by GitHub that queries code like data. Supports C/C++, C#, Go, Java, JavaScript/TypeScript, Python, and Ruby with deep vulnerability detection.
  • Syft: Software Bill of Materials (SBOM) generation tool that catalogs packages and dependencies. Creates SPDX, CycloneDX, and Syft-native SBOMs for supply chain security.

Pipeline architecture

Progressive deployment with security gates at each stage:

  1. Source control: Feature branches trigger validation workflows
  2. Validation phase: Parallel execution of Checkov (IaC), Trivy (containers), Gitleaks (secrets), CodeQL (code), and unit tests
  3. Security gates: Builds fail on critical/high severity findings unless explicitly acknowledged
  4. Build & package: Generate SBOM with Syft, sign artifacts, push to secure registry
  5. Progressive deployment: Dev → Staging → Manual Approval → Production with automated rollback
  6. Policy enforcement: Azure Policy evaluation in each environment before resource deployment

Templates provided for GitHub Actions (.github/workflows/), Azure DevOps (Pipelines/AzureDevOps/), and GitLab CI (Pipelines/GitLabCI/). Each platform includes starter workflows, advanced multi-stage pipelines, and security-focused templates.

Enterprise integrations

Connect your security platform to existing enterprise systems:

SIEM integration

  • Splunk: Azure Event Hubs streaming with Azure Monitor diagnostic settings. Send Sentinel incidents, Azure Activity logs, and NSG flow logs to Splunk for unified correlation.
  • QRadar/ArcSight: CEF/Syslog forwarding via Azure Functions or dedicated log collectors

ITSM integration

  • ServiceNow: REST API integration via Logic Apps to automatically create incidents, change requests, and configuration items. Bi-directional sync keeps ticket status aligned with Sentinel.
  • JIRA: Webhook-based integration for creating security issues, tracking remediation tasks, and linking findings to development sprints

Collaboration platforms

  • Microsoft Teams: Adaptive cards sent to security channels for high-severity alerts with action buttons for acknowledge/escalate/investigate
  • Slack: Webhook notifications with interactive workflows for incident triage and response coordination
  • PagerDuty: On-call escalation for critical incidents based on severity and business impact

Threat intelligence platforms

  • TAXII/STIX feeds: Import threat indicators from commercial and open-source feeds
  • Microsoft Defender Threat Intelligence: Native integration with Microsoft’s global threat intelligence network
  • Custom watchlists: Import IP blocklists, known bad domains, and organizational threat intelligence

Advanced features

Multi-region deployment

Templates support geo-distributed deployments for resilience and data residency:

  • Region-specific resource groups with consistent naming conventions
  • Cross-region Log Analytics workspace replication for disaster recovery
  • Traffic Manager or Front Door for global load balancing with failover
  • Regional compliance controls (e.g., GDPR data residency in EU regions)

Automated remediation

Azure Policy supports four enforcement effects:

  • Audit: Log non-compliant resources without blocking deployment
  • Deny: Block creation of non-compliant resources
  • Modify: Automatically fix configuration drift (e.g., add required tags, enable diagnostic settings)
  • DeployIfNotExists: Automatically deploy missing security controls (e.g., install monitoring agents, enable encryption)

The repository includes remediation tasks configured for common scenarios like enabling HTTPS-only storage, enforcing TLS 1.2 minimum, and deploying Azure Monitor agents.

Custom parser development

Sentinel KQL parsers normalize data from custom applications and third-party tools:

  • Sample parsers for common log formats (Apache, NGINX, custom application logs)
  • ASIM-compliant parser templates for authentication, network sessions, and file activity
  • Testing framework with sample data for parser validation

Threat hunting workbooks

Pre-built KQL queries and interactive workbooks for proactive threat hunting:

  • Anomalous authentication patterns (impossible travel, unusual login times)
  • Lateral movement detection (RDP/SSH between servers, Pass-the-Hash indicators)
  • Data exfiltration patterns (large file transfers, unusual Azure Storage access)
  • Privilege escalation (role assignment changes, PIM activation patterns)

Recommended assessment workflow

  1. Planning – define scope, stakeholders, and the target framework (ISO 27001, SOC 2). Use the assessment plan and RACI templates in Assessment/Planning/. Identify resources, timelines, and success criteria.
  2. Discovery – send questionnaires from Assessment/Questionnaires/, review architecture using Assessment/ArchitectureReview/, run technical checks with role-specific lists in Checklists/. Document current state.
  3. Implementation – deploy the baseline with Scripts/deploy-baseline.sh, enable policies from Policies/, onboard Sentinel content, and wire CI/CD security gates from Pipelines/.
  4. Validation – test controls using Assessment/Testing/, assess risk with Artifacts/RiskRegister/, collect evidence using Compliance/Evidence/ (registers, sampling plans, procedures).
  5. Reporting – compile findings using templates in Report/, create remediation plan with Artifacts/RemediationPlan/, and generate final report with executive summary and control matrices.

Getting started (15 minutes to baseline)

Prerequisites

Before beginning, ensure you have:

  • Azure CLI version 2.50.0 or later installed and configured
  • jq tool for JSON processing (install via brew install jq on macOS or apt-get install jq on Linux)
  • Azure subscription with Owner or Contributor access (not just Reader)
  • Log Analytics workspace pre-created for Sentinel (or use deployment script to create one)
  • GitHub account for CI/CD pipeline setup (if using GitHub Actions)
  • Resource permissions to create resource groups, assign policies, and deploy Sentinel

Initial setup

# Clone the repository
git clone https://github.com/ilyafedotov-ops/Templates.git
cd Templates

# Authenticate to Azure
az login
az account set --subscription "<YOUR_SUBSCRIPTION_ID>"

# Set environment variables
export AZURE_SUBSCRIPTION_ID="your-subscription-id-here"
export RESOURCE_GROUP="rg-security-assessment"
export LOCATION="eastus2"
export WORKSPACE_NAME="law-security-$(date +%Y%m%d)"

# Create resource group
az group create \
  --name "$RESOURCE_GROUP" \
  --location "$LOCATION"

# Create Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group "$RESOURCE_GROUP" \
  --workspace-name "$WORKSPACE_NAME" \
  --location "$LOCATION"

Deploy baseline

# Deploy security baseline (policies + Sentinel + monitoring)
./Scripts/deploy-baseline.sh \
  --resource-group "$RESOURCE_GROUP" \
  --workspace "$WORKSPACE_NAME" \
  --location "$LOCATION"

# Verify deployment
az policy assignment list \
  --resource-group "$RESOURCE_GROUP" \
  --query "[].{Name:name, Policy:policyDefinitionId}" \
  --output table

Verify deployment

After deployment completes (typically 5-10 minutes), verify:

  • 15+ Azure policies assigned at subscription or resource group scope
  • 5+ Sentinel analytics rules active and ingesting data
  • Data connectors configured for Azure Activity, Azure AD, and Security Center
  • Workbooks available in Sentinel for security posture visualization

Next steps

  1. Review and customize policies in Policies/ for your environment (test in non-prod first)
  2. Configure additional Sentinel data connectors in Sentinel/DataConnectors/
  3. Set up CI/CD pipelines using templates in Pipelines/
  4. Begin compliance assessment using questionnaires in Assessment/
  5. Review ARCHITECTURE.md for deployment patterns and FAQ.md for common questions

Common use cases

  • Audit readiness: standardize evidence and mappings for recurring ISO/SOC audits with pre-built control matrices and evidence collection templates.
  • Greenfield setup: enforce a secure baseline in new subscriptions from day one with automated policy deployment and monitoring.
  • Continuous compliance: policy initiatives + Sentinel monitoring to keep drift in check with automated remediation and alerting.
  • Consulting delivery: repeatable assessments with consistent reports and hand-offs for MSPs and security consultancies serving multiple clients.
  • M&A due diligence: rapid security posture assessment of acquisition targets with standardized methodology and reporting.
  • Regulatory response: quickly demonstrate compliance posture to regulators with audit-ready documentation and evidence trails.

Practical tips

  • Run policy evaluations in a non-prod subscription first; enable remediation only after review to avoid unintended production impact.
  • Parameterize environment differences (dev/stage/prod) rather than duplicating policy/queries—use Azure Policy parameters and Sentinel workspace functions.
  • Keep CI pipelines fast: cache scanners and split long jobs; run deep scans (CodeQL, container scanning) on a schedule rather than every commit.
  • Document exceptions with expiry dates in Artifacts/RiskRegister/; add Sentinel rules to watch those areas closely for compensating controls.
  • Start with audit-only policies and graduate to deny/modify after stakeholder review—reduces friction and builds confidence.
  • Use Sentinel watchlists for dynamic allow/block lists instead of hardcoding in analytics rules—enables SOC updates without rule changes.
  • Schedule regular “purple team” exercises using Sentinel’s attack simulation capabilities to validate detection coverage.
  • Leverage Azure Resource Graph for bulk compliance queries across subscriptions—faster than portal and scriptable for reports.

Troubleshooting & FAQ

What if I don’t have a Log Analytics workspace?

The deployment script can create one automatically. Simply omit the --workspace parameter and the script will provision a new workspace with appropriate retention and pricing tier.

Can I deploy to existing subscriptions with resources?

Yes. Policies are assigned in audit mode by default to avoid disrupting existing workloads. Review policy compliance reports before switching to deny or remediation modes.

How do I handle policy conflicts with existing assignments?

Azure Policy uses precedence rules where deny always wins. If you have conflicting assignments, the most restrictive (deny) takes precedence. Use exclusions at the resource group or resource level for exceptions, and document in your risk register.

What are the costs?

Primary costs:

  • Log Analytics: $2-3 per GB ingested (varies by region and commitment tier)
  • Sentinel: $2-3 per GB analyzed (separate from Log Analytics)
  • Azure Policy: Free for first 1,000 resources, then $2 per 1,000 resources per month
  • Logic Apps: Per-execution pricing (starts at $0.000025 per action)

Estimate 5-50 GB/day for small environments (100-500 users), resulting in ~$300-3,000/month for comprehensive monitoring.

How long does implementation take?

  • Baseline deployment: 15 minutes (automated)
  • Full assessment: 2-4 weeks depending on scope and organizational size
  • Ongoing operations: 4-8 hours/week for SOC monitoring and policy maintenance

Can I use this for non-Azure clouds?

While optimized for Azure, the assessment methodology, compliance mappings, and reporting templates are cloud-agnostic. The Sentinel platform supports multi-cloud data ingestion from AWS and GCP. Policy enforcement would require Terraform/CloudFormation equivalents.

Is training or certification required?

No specific certification required, but recommended knowledge includes:

  • Azure fundamentals and resource management
  • Basic KQL (Kusto Query Language) for Sentinel customization
  • Infrastructure-as-Code concepts (ARM/Bicep)
  • Familiarity with your target compliance framework (ISO 27001 or SOC 2)

Contribute & feedback

Have ideas or gaps to close? Open an issue or send a PR. If this saves you time, please star the repo and share it with your team. The project is actively maintained with regular updates for new Azure services and evolving compliance requirements.

🔗 github.com/ilyafedotov-ops/Templates

Author: Ilya Fedotov — Infrastructure Consultant

Leave a Comment

Scroll to Top