Baselines
Create and manage configuration baselines for drift detection
Baselines
Baselines define your expected configuration state. Drift detection compares current settings against baselines to identify changes.
Understanding Baselines
A baseline captures what your configuration should look like:
- Snapshot baseline - Current configuration captured at a point in time
- Policy baseline - Explicitly defined expected values
- Template baseline - Industry-standard configurations
Creating Baselines
From Current Configuration
Capture your current settings as a baseline:
- Go to Drift Detection > Baselines
- Click Create Baseline
- Select From Current Configuration
- Choose resource type (e.g., Conditional Access Policies)
- Select specific resources or all
- Click Create Baseline
This creates a snapshot of current settings as your expected state.
From Policy Definition
Define explicit expected values:
- Go to Drift Detection > Baselines
- Click Create Baseline
- Select Policy Baseline
- Choose resource type
- Define expected values using the form
- Click Create Baseline
Use this when you know the exact values you want enforced.
From Template
Use pre-built industry templates:
- Go to Drift Detection > Baselines
- Click Create Baseline
- Select From Template
- Choose a template (e.g., CIS Benchmark)
- Review and customize
- Click Create Baseline
Templates are based on security frameworks and industry best practices.
Baseline Configuration
Comparison Rules
Define how current values are compared to baselines:
| Rule | Description | Use Case |
|---|---|---|
| Exact Match | Values must be identical | Boolean settings, specific strings |
| Contains | Value must contain baseline | Partial matches, lists |
| Regex | Value must match pattern | Complex validation |
| Greater Than | Numeric comparison | Thresholds, limits |
| Less Than | Numeric comparison | Maximum values |
Example Comparison Rules
Exact Match
Expected: "enabled"
Current: "enabled" → Pass
Current: "disabled" → Fail
Contains
Expected: ["admin@company.com"]
Current: ["admin@company.com", "security@company.com"] → Pass
Current: ["user@company.com"] → Fail
Regex
Expected: "^(daily|weekly)$"
Current: "daily" → Pass
Current: "monthly" → Fail
Severity Assignment
Assign severity to baselines:
- In baseline settings, find Severity
- Select: Critical, High, Medium, or Low
- This severity applies to all drift events from this baseline
Set severity based on security impact, not frequency of changes.
Managing Baselines
Viewing Baselines
The baselines list shows:
| Column | Description |
|---|---|
| Name | Baseline identifier |
| Resource Type | What it monitors |
| Created | When baseline was created |
| Last Updated | Most recent modification |
| Status | Active or inactive |
Editing Baselines
To modify a baseline:
- Click on the baseline name
- Click Edit
- Update expected values or rules
- Click Save Changes
Editing a baseline doesn't automatically resolve existing drift events. Review and update event statuses as needed.
Deactivating Baselines
Temporarily stop monitoring:
- Click on the baseline
- Click Deactivate
- Monitoring pauses; existing events remain
Reactivate by clicking Activate on an inactive baseline.
Deleting Baselines
Permanently remove a baseline:
- Click on the baseline
- Click Delete
- Confirm deletion
Deleting a baseline removes all associated drift events and history.
Baseline Best Practices
Start with Critical Resources
Prioritize baselines for:
- Conditional Access Policies - Authentication controls
- Admin Roles - Privileged access
- External Sharing - Data exposure risk
- Mail Flow Rules - Communication security
Review Regularly
Schedule baseline reviews:
| Frequency | Activities |
|---|---|
| Monthly | Review triggered alerts |
| Quarterly | Update baseline values |
| Annually | Full baseline audit |
Document Changes
When updating baselines:
- Record why the change was made
- Note who approved the change
- Update related documentation
Test Before Production
For new baselines:
- Create in "monitoring only" mode
- Review detected differences
- Adjust rules as needed
- Enable alerting when confident
Baseline Templates
Available Templates
| Template | Description |
|---|---|
| CIS Level 1 | Basic security baseline |
| CIS Level 2 | Enhanced security baseline |
| Zero Trust | Zero trust architecture |
| Custom | Your organization's standard |
Using Templates
Templates provide:
- Pre-configured expected values
- Recommended severity levels
- Industry-aligned comparison rules
Customize templates for your environment:
- Select template as starting point
- Review all settings
- Adjust for organizational requirements
- Save as your baseline
Troubleshooting
Too Many Drift Events
If baselines generate excessive events:
- Review comparison rules for accuracy
- Consider using "contains" instead of "exact"
- Increase threshold values where appropriate
- Split broad baselines into specific ones
Baseline Not Detecting Changes
If expected drift isn't caught:
- Verify baseline is active
- Check monitoring schedule is running
- Ensure comparison rules match the data format
- Review API permissions for resource access
Baseline Conflicts
If multiple baselines cover the same resource:
- Only the most specific baseline applies
- Review baseline scope for overlap
- Consider consolidating baselines
What's Next?
- Visual Builder - Create baselines visually
- History - View configuration changes
- Alerts - Configure notifications