standard
turbot/azure_compliance

Trigger: Detect & correct Key Vaults with logging disabled

Detect key vaults with logging disabled.

Query

with logging_details as (
select
name as key_vault_name
from
azure_key_vault,
jsonb_array_elements(diagnostic_settings) setting,
jsonb_array_elements(setting -> 'properties' -> 'logs') log
where
diagnostic_settings is not null
and setting -> 'properties' ->> 'storageAccountId' <> ''
and (log ->> 'enabled') :: boolean
and log ->> 'category' = 'AuditEvent'
and (log -> 'retentionPolicy') :: JSONB ? 'days'
)
select
concat(
v.id,
' [',
v.subscription_id,
'/',
v.resource_group,
']'
) as title,
v.id as id,
v.name,
v.resource_group,
v.subscription_id,
v._ctx ->> 'connection_name' as conn
from
azure_key_vault v
left join logging_details l on l.key_vault_name = v.name
where
v.diagnostic_settings is null
or l.key_vault_name not like concat('%', v.name, '%');

Schedule

15m

Tags

category = Compliance
plugin = azure
service = Azure/KeyVault