Control: Ensure that Activity Log Alert exists for Delete Policy Assignment
Description
Create an activity log alert for the Delete Policy Assignment event.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.monitor_log_alert_delete_policy_assignmentSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.monitor_log_alert_delete_policy_assignment --shareSQL
This control uses a named query:
with alert_rule as ( select alert.id as alert_id, alert.name as alert_name, alert.enabled, alert.location, alert.subscription_id from azure_log_alert as alert, jsonb_array_elements_text(scopes) as sc where alert.location = 'global' and alert.enabled and sc = '/subscriptions/' || alert.subscription_id and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' limit 1)select sub.subscription_id as resource, case when count(a.subscription_id) > 0 then 'ok' else 'alarm' end as status, case when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.' else 'Activity log alert does not exists for delete policy assignment event.' end as reason , sub.display_name as subscriptionfrom azure_subscription sub left join alert_rule a on sub.subscription_id = a.subscription_idgroup by sub._ctx, sub.subscription_id, sub.display_name;