steampipe plugin install azure

Table: azure_log_alert - Query Azure Log Alerts using SQL

Azure Log Alerts is a feature within Azure Monitor that allows users to create alert rules based on log search queries. When these queries return results that meet certain conditions, an alert is triggered. This feature is essential for monitoring, troubleshooting, and gaining insights into the operational health and performance of Azure resources.

Table Usage Guide

The azure_log_alert table provides insights into log alerts within Azure Monitor. As a system administrator, explore alert-specific details through this table, including alert rules, conditions, actions, and associated metadata. Utilize it to uncover information about alerts, such as those triggered by certain log search queries, the conditions that cause alerts to be triggered, and the actions taken when alerts are triggered.

Examples

Basic info

Determine the status of alerts in your Azure log by identifying their name, ID, type, and whether they are enabled or not. This can help you manage and prioritize your alerts effectively.

select
name,
id,
type,
enabled
from
azure_log_alert;
select
name,
id,
type,
enabled
from
azure_log_alert;

List log alerts that check for create policy assignment events

Determine the areas in which log alerts are set to monitor the creation of policy assignments in Azure. This can be useful in managing and tracking changes to policy assignments.

select
name,
id,
type
from
azure_log_alert,
jsonb_array_elements(condition -> 'allOf') as l
where
l ->> 'equals' = 'Microsoft.Authorization/policyAssignments/write';
select
name,
a.id,
type
from
azure_log_alert as a,
json_each(condition, '$.allOf') as l
where
json_extract(l.value, '$.equals') = 'Microsoft.Authorization/policyAssignments/write';

Control examples

Schema for azure_log_alert

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actionstextThe actions that will activate when the condition is met.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
conditionjsonbThe condition that will cause this alert to activate.
descriptiontextA description of this activity log alert.
enabledbooleanIndicates whether this activity log alert is enabled.
idtextThe resource Id.
locationtextThe location of the resource. Since Azure Activity Log Alerts is a global service, the location of the rules should always be 'global'.
nametext=The name of the resource.
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
scopesjsonbA list of resourceIds that will be used as prefixes.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextType of the resource

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_log_alert