Control: Resource logs in Azure Stream Analytics should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.stream_analytics_job_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.stream_analytics_job_logging_enabled --shareSQL
This control uses a named query:
with logging_details as ( select distinct name as job_name from azure_stream_analytics_job, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and ( ( (log ->> 'enabled') :: boolean and (log -> 'retentionPolicy' ->> 'enabled') :: boolean and (log -> 'retentionPolicy') :: JSONB ? 'days' ) or ( (log ->> 'enabled') :: boolean and ( log -> 'retentionPolicy' ->> 'enabled' <> 'true' or setting -> 'properties' ->> 'storageAccountId' = '' ) ) ))select v.job_id as resource, case when v.diagnostic_settings is null then 'alarm' when l.job_name is null then 'alarm' else 'ok' end as status, case when v.diagnostic_settings is null then v.name || ' logging not enabled.' when l.job_name is null then v.name || ' logging not enabled.' else v.name || ' logging enabled.' end as reason , v.resource_group as resource_group , sub.display_name as subscriptionfrom azure_stream_analytics_job as v left join logging_details as l on v.name = l.job_name, azure_subscription as subwhere sub.subscription_id = v.subscription_id;