turbot/steampipe-mod-azure-compliance

Query: security_center_attack_path_alerts_enabled

Usage

powerpipe query azure_compliance.query.security_center_attack_path_alerts_enabled

SQL

with contact_info as (
select
subscription_id,
count(*) filter (where alert_notifications = 'On') as notification_alert_count
from
azure_security_center_contact
group by
subscription_id
)
select
c.id as resource,
case
when c.name = 'AttackPath' and c.enabled and ci.notification_alert_count > 0 then 'ok'
else 'alarm'
end as status,
case
when c.name = 'AttackPath' and c.enabled and ci.notification_alert_count > 0 then 'Attack path notifications are enabled.'
when c.name = 'AttackPath' and not c.enabled then 'Attack path notifications are disabled.'
when ci.notification_alert_count = 0 then 'Security alert notifications are disabled.'
else 'Attack path notifications not configured.'
end as reason,
c.subscription_id,
c.cloud_environment
from
azure_security_center_setting c
left join contact_info ci on c.subscription_id = ci.subscription_id
where
c.name = 'AttackPath';

Controls

The query is being used by the following controls: