Control: Log Analytics Workspaces should block non-Azure Active Directory based ingestion
Description
Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.log_analytics_workspace_block_non_azure_ingestionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.log_analytics_workspace_block_non_azure_ingestion --shareSQL
This control uses a named query:
select w.id as resource, case when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then 'alarm' else 'ok' end as status, case when type = 'Microsoft.OperationalInsights/workspaces' and disable_local_auth = 'true' then w.name || ' workspace allows non-Azure log ingestion.' else w.name || ' workspace does not allow non-Azure log ingestion.' end as reason , w.resource_group as resource_group , sub.display_name as subscriptionfrom azure_log_analytics_workspace as w left join azure_subscription sub on sub.subscription_id = w.subscription_id;