Table: azure_log_alert - Query Azure Log Alerts using SQL
Azure Log Alerts is a feature within Azure Monitor that allows users to create alert rules based on log search queries. When these queries return results that meet certain conditions, an alert is triggered. This feature is essential for monitoring, troubleshooting, and gaining insights into the operational health and performance of Azure resources.
Table Usage Guide
The azure_log_alert
table provides insights into log alerts within Azure Monitor. As a system administrator, explore alert-specific details through this table, including alert rules, conditions, actions, and associated metadata. Utilize it to uncover information about alerts, such as those triggered by certain log search queries, the conditions that cause alerts to be triggered, and the actions taken when alerts are triggered.
Examples
Basic info
Determine the status of alerts in your Azure log by identifying their name, ID, type, and whether they are enabled or not. This can help you manage and prioritize your alerts effectively.
select name, id, type, enabledfrom azure_log_alert;
select name, id, type, enabledfrom azure_log_alert;
List log alerts that check for create policy assignment events
Determine the areas in which log alerts are set to monitor the creation of policy assignments in Azure. This can be useful in managing and tracking changes to policy assignments.
select name, id, typefrom azure_log_alert, jsonb_array_elements(condition -> 'allOf') as lwhere l ->> 'equals' = 'Microsoft.Authorization/policyAssignments/write';
select name, a.id, typefrom azure_log_alert as a, json_each(condition, '$.allOf') as lwhere json_extract(l.value, '$.equals') = 'Microsoft.Authorization/policyAssignments/write';
Control examples
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Network Security Group
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update Security Solution
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Create Policy Assignment
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Network Security Group
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Policy Assignment
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Public IP Address rule
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete Security Solution
- All Controls > Monitor > Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- An activity log alert should exist for specific Administrative operations
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.3.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.4.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v1.5.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v2.0.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v2.1.0 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log Alerts > 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- CIS v3.0.0 > 6 Logging and Monitoring > 6.2 Monitoring using Activity Log Alerts > 6.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Schema for azure_log_alert
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
actions | text | The actions that will activate when the condition is met. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
condition | jsonb | The condition that will cause this alert to activate. | |
description | text | A description of this activity log alert. | |
enabled | boolean | Indicates whether this activity log alert is enabled. | |
id | text | The resource Id. | |
location | text | The location of the resource. Since Azure Activity Log Alerts is a global service, the location of the rules should always be 'global'. | |
name | text | = | The name of the resource. |
region | text | The Azure region/location in which the resource is located. | |
resource_group | text | = | The resource group which holds this resource. |
scopes | jsonb | A list of resourceIds that will be used as prefixes. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
type | text | Type of the resource |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_log_alert