Control: Resource logs in Logic Apps should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.logic_app_workflow_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.logic_app_workflow_logging_enabled --shareSQL
This control uses a named query:
with logging_details as ( select distinct id as workflow_id from azure_logic_app_workflow, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and ( ( (log ->> 'enabled') :: boolean and (log -> 'retentionPolicy' ->> 'enabled') :: boolean and (log -> 'retentionPolicy') :: JSONB ? 'days' ) or ( (log ->> 'enabled') :: boolean and ( log -> 'retentionPolicy' ->> 'enabled' <> 'true' or setting -> 'properties' ->> 'storageAccountId' = '' ) ) ))select a.id as resource, case when a.diagnostic_settings is null then 'alarm' when l.workflow_id is not null then 'ok' else 'alarm' end as status, case when a.diagnostic_settings is null then a.name || ' logging disabled.' when l.workflow_id is not null then a.name || ' logging enabled.' else a.name || ' logging disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_logic_app_workflow as a left join logging_details as l on a.id = l.workflow_id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;