turbot/azure_compliance

Query: log_analytics_workspace_block_non_azure_ingestion

Usage

powerpipe query azure_compliance.query.log_analytics_workspace_block_non_azure_ingestion

SQL

select
w.id as resource,
case
when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then 'alarm'
else 'ok'
end as status,
case
when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then w.name || ' workspace allows non-Azure log ingestion.'
else w.name || ' workspace does not allow non-Azure log ingestion.'
end as reason
, w.resource_group as resource_group
, sub.display_name as subscription
from
azure_log_analytics_workspace as w
left join azure_subscription sub on sub.subscription_id = w.subscription_id;

Controls

The query is being used by the following controls: