v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Query: azuread_audit_log_search_enabled

Usage

powerpipe query microsoft365_compliance.query.azuread_audit_log_search_enabled

Steampipe Tables

azuread_directory_audit_report
azuread_user
Azure Active Directory plugin

SQL

with audit_count as (
  select
    tenant_id,
    count(id)
  from
    azuread_directory_audit_report
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when a.count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when a.count > 0 then t.tenant_id || ' has audit log search enabled.'
    else t.tenant_id || ' has audit log search disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join audit_count as a on t.tenant_id = a.tenant_id;

Controls

The query is being used by the following controls: