Control: Deploy Diagnostic Settings for Network Security Groups
Description
This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_security_group_diagnostic_setting_deployedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_security_group_diagnostic_setting_deployed --shareSQL
This control uses a named query:
with logging_details as ( select distinct name as nsg_name from azure_network_security_group, jsonb_array_elements(diagnostic_settings) setting where diagnostic_settings is not null and setting ->> 'name' = 'setbypolicy')select a.resource_guid as resource, case when a.diagnostic_settings is null then 'alarm' when l.nsg_name is null then 'alarm' else 'ok' end as status, case when a.diagnostic_settings is null then a.name || ' logging not enabled.' when l.nsg_name is null then a.name || ' logging not enabled.' else a.name || ' logging enabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group as a left join logging_details as l on a.name = l.nsg_name, azure_subscription as subwhere sub.subscription_id = a.subscription_id;