Control: An activity log alert should exist for specific Administrative operations
Description
This policy audits specific Administrative operations with no activity log alerts configured.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.monitor_log_alert_for_administrative_operationsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.monitor_log_alert_for_administrative_operations --shareSQL
This control uses a named query:
with alert_rule as ( select alert.id as alert_id, alert.name as alert_name, alert.enabled, alert.location, alert.subscription_id from azure_log_alert as alert, jsonb_array_elements_text(scopes) as sc where alert.location = 'global' and alert.enabled and sc = '/subscriptions/' || alert.subscription_id and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' and ( alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/write"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/delete"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/write"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write"}]' or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"}]' ) limit 1)select sub.subscription_id as resource, case when count(a.subscription_id) > 0 then 'ok' else 'alarm' end as status, case when count(a.subscription_id) > 0 then 'Activity log alert exists for administrative operations.' else 'Activity log alert does not exists for administrative operations.' end as reason , sub.display_name as subscriptionfrom azure_subscription sub left join alert_rule a on sub.subscription_id = a.subscription_idgroup by sub._ctx, sub.subscription_id, sub.display_name;