diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/metadata.json new file mode 100644 index 00000000000..dd6c8786c14 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "a7b422e3-0b2f-4795-a43a-136dbbd6cbb3", + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture delete policy assignment events", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_activity_log_alert", + "platform": "Terraform", + "descriptionID": "a7b422e3", + "cloudProvider": "azure", + "cwe": "778", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/query.rego new file mode 100644 index 00000000000..3534bd4f0d8 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/query.rego @@ -0,0 +1,105 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +filter_fields := ["caller", "level", "levels", "status", "statuses", "sub_status", "sub_statuses"] + +CxPolicy[result] { + resources := {input.document[index].id : log_alerts | + log_alerts := input.document[index].resource.azurerm_monitor_activity_log_alert + } + + value := at_least_one_valid_log_alert(resources) + value.result != "has_valid_log" + + results := get_results(value)[_] + + result := { + "documentId": results.doc_id, + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": tf_lib.get_resource_name(results.resource, results.name), + "searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]), + "issueType": results.issueType, + "keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "keyActualValue": results.keyActualValue, + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], []) + } +} + +at_least_one_valid_log_alert(resources) = {"result" : "has_valid_log"} { + resources[doc_index][x].criteria.category == "Administrative" + resources[doc_index][x].criteria.operation_name == "Microsoft.Authorization/policyAssignments/delete" + not has_filter(resources[doc_index][x].criteria) + common_lib.valid_key(resources[doc_index][x].action, "action_group_id") + +} else = {"result" : "has_log_without_action", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Authorization/policyAssignments/delete" + not has_filter(resource.criteria)} + } + logs[_] != {} + +} else = {"result" : "has_log_with_filter", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Authorization/policyAssignments/delete"} + } + logs[_] != {} + +} else = {"result" : "has_invalid_logs_only", "logs": resources} + +get_results(value) = results { # Case of one or more resources failing due to not setting an "action.action_group_id" field + value.result == "has_log_without_action" + + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "issueType": "MissingAttribute", + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", [name]) + }] + +} else = results { # Case of one or more resources failing due to setting filter(s) + value.result == "has_log_with_filter" + + results := [z | + filters = get_filters(value.logs[doc_id][name].criteria) + z := { + "doc_id" : doc_id, + "resource" : value.logs[doc_id][name], + "issueType": "IncorrectValue", + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete policy assignment' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)]) + }] + +} else = results { # Case of all resources failing due to invalid category and/or operation_name + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "issueType": "IncorrectValue", + "name" : name, + "keyActualValue" : "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'delete policy assignment' events" + }] +} + +has_filter(criteria) { + common_lib.valid_key(criteria, filter_fields[_]) +} + +get_filters(criteria) = [x | + y := filter_fields[_] + common_lib.valid_key(criteria, y) + x := y +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/negative1.tf new file mode 100644 index 00000000000..6580bd749ac --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/negative1.tf @@ -0,0 +1,21 @@ +resource "azurerm_monitor_activity_log_alert" "negative1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Negative sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + + webhook_properties = { + from = "terraform" + } + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive1.tf new file mode 100644 index 00000000000..e738eae59ad --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive1.tf @@ -0,0 +1,53 @@ +resource "azurerm_monitor_activity_log_alert" "positive1_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_1.tf new file mode 100644 index 00000000000..03d5741d53e --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_1.tf @@ -0,0 +1,76 @@ +# Case of correct "operation_name" and "category" but a type of filter is set +resource "azurerm_monitor_activity_log_alert" "positive2_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + level = "Informational" # filters by level + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + levels = ["Informational", "Warning"] # filters by levels + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_4" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_2.tf new file mode 100644 index 00000000000..f7048cdcae9 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive2_2.tf @@ -0,0 +1,56 @@ +resource "azurerm_monitor_activity_log_alert" "positive2_5" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + statuses = ["Succeeded", "Failed"] # filters by statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_6" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + sub_status = "Accepted" # filters by sub_status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_7" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json new file mode 100644 index 00000000000..b72188b5295 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -0,0 +1,44 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 66, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 27, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 46, + "fileName": "positive2_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_1.tf new file mode 100644 index 00000000000..6c2647572cc --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_1.tf @@ -0,0 +1,16 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + } + + # Missing action +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_2.tf new file mode 100644 index 00000000000..fc54c7f4a78 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive3_2.tf @@ -0,0 +1,18 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + } + + action { + # Missing action_group_id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json new file mode 100644 index 00000000000..1ff51775942 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_1.tf new file mode 100644 index 00000000000..eedc2646e79 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_1.tf @@ -0,0 +1,21 @@ +# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" +resource "azurerm_monitor_activity_log_alert" "positive4_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_2.tf new file mode 100644 index 00000000000..fe894643730 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive4_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive4_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json new file mode 100644 index 00000000000..1d75d906347 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive4_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_1.tf new file mode 100644 index 00000000000..ba394c5b6f3 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_1.tf @@ -0,0 +1,37 @@ +# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others +resource "azurerm_monitor_activity_log_alert" "positive5_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + } + + # Missing action block +} + +resource "azurerm_monitor_activity_log_alert" "positive5_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Authorization/policyAssignments/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_2.tf new file mode 100644 index 00000000000..dfe8d9f3ce9 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive5_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive5_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive_expected_result.json new file mode 100644 index 00000000000..037a0323306 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive5/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive5_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json new file mode 100644 index 00000000000..7ea96ca6293 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json @@ -0,0 +1,20 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", + "severity": "MEDIUM", + "line": 44, + "fileName": "positive1.tf" + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..6b39aa16808 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: a7b422e3-0b2f-4795-a43a-136dbbd6cbb3 + queryName: Beta - Activity Log Alert For Delete Policy Assignment Not Configured + observations: "" + change: 2