standard
turbot/azure_compliance

Trigger: Detect & correct Subscriptions without activity log alert for delete NSG

Detect subscriptions without an activity log alert for delete NSG.

Query

with alert_rule as (
select
alert.id as alert_id,
alert.name as alert_name,
alert.enabled,
alert.location,
alert.subscription_id,
alert.resource_group,
alert._ctx ->> 'connection_name' as conn,
jsonb_array_length(alert.condition -> 'allOf')
from
azure_log_alert as alert,
jsonb_array_elements_text(scopes) as sc
where
alert.location = 'Global'
and alert.enabled
and sc = '/subscriptions/' || alert.subscription_id
and (
(
alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]'
and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]'
)
or (
alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]'
and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]'
and jsonb_array_length(alert.condition -> 'allOf') = 2
)
)
limit
1
)
select
sub.subscription_id as title,
sub._ctx ->> 'connection_name' as conn
from
azure_subscription sub
left join alert_rule a on sub.subscription_id = a.subscription_id
group by
sub.subscription_id,
sub.display_name,
sub._ctx,
a.alert_id,
a.alert_name,
a.resource_group,
a.subscription_id,
a.conn
having
not(count(a.subscription_id) > 0);

Schedule

15m

Tags

category = Compliance
plugin = azure
service = Azure/Monitor