-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathalerts.tf
136 lines (117 loc) · 4.58 KB
/
alerts.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
resource "azurerm_monitor_scheduled_query_rules_alert" "security_activity_log_alert" {
name = "${var.env}-security-activity-log"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
action {
action_group = [azurerm_monitor_action_group.action_group.id]
}
data_source_id = data.azurerm_log_analytics_workspace.law.id
description = "Security activity log alert"
enabled = true
query = <<-QUERY
AzureActivity
| where CategoryValue == "Security"
and Level in ("Critical", "Error")
QUERY
severity = 1
frequency = 60
time_window = 60
trigger {
operator = "GreaterThan"
threshold = 0
}
tags = local.tags
}
resource "azurerm_monitor_scheduled_query_rules_alert" "azuread_activity_log_alert" {
name = "${var.env}-azuread-alert-activity-log"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
action {
action_group = [azurerm_monitor_action_group.action_group.id]
}
data_source_id = data.azurerm_log_analytics_workspace.law.id
description = "Users did not pass the MFA challenge"
enabled = true
query = <<-QUERY
SigninLogs
| where ResultType == "50074"
| summarize FailedSigninCount = count(), max(ResultType) by UserDisplayName
| sort by FailedSigninCount desc
| order by FailedSigninCount desc
QUERY
severity = 3
frequency = 60
time_window = 60
trigger {
operator = "GreaterThan"
threshold = 0
}
tags = local.tags
}
resource "azurerm_monitor_scheduled_query_rules_alert" "azuread_spn_expired_alert" {
name = "${var.env}-azuread-spn-expired-log"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
action {
action_group = [azurerm_monitor_action_group.action_group.id]
}
data_source_id = data.azurerm_log_analytics_workspace.law.id
description = "Azure AD service principals that have both successful and failed sign ins because of an expired secret"
enabled = true
query = <<-QUERY
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(1d)
| summarize
['All Error Codes']=make_set(ResultType),
['Successful IP Addresses']=make_set_if(IPAddress, ResultType == 0),
['Failed IP Addresses']=make_set_if(IPAddress, ResultType == "7000222")
by ServicePrincipalId, ServicePrincipalName
| where ['All Error Codes'] has_all ("0", "7000222")
QUERY
severity = 1
frequency = 60
time_window = 60
trigger {
operator = "GreaterThan"
threshold = 0
}
tags = local.tags
}
resource "azurerm_monitor_scheduled_query_rules_alert" "nsg_flow_log_alert" {
name = "${var.env}-nsg-flow-log"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
action {
action_group = [azurerm_monitor_action_group.action_group.id]
}
data_source_id = data.azurerm_log_analytics_workspace.law.id
description = "NSG Flow log alert"
enabled = true
query = <<-QUERY
AzureNetworkAnalytics_CL
| extend NSGRuleAction=split(NSGRules_s, '|', 3)[0]
| extend NSGName=tostring(split(NSGList_s, '/', 2)[0])
| extend RG=tostring(split(NSGList_s, '/', 1)[0])
| extend sub=tostring(split(NSGList_s, '/', 0)[0])
| extend NSG_id=strcat("/subscriptions/", sub, "/resourceGroups/", RG, "providers/Microsoft.Network/networkSecurityGroups/", NSGName)
| where DestPort_d == "22"
and FASchemaVersion_s == "2"
and NSGRuleAction == "A"
and TimeGenerated > ago(15m)
| project
TimeGenerated,
Direction = case(FlowDirection_s == "I", "Inbound", "Outbound"),
SourceIP = case(FlowDirection_s == "I", case(FlowType_s in ("AzurePublic", "ExternalPublic"), split(SrcPublicIPs_s, '|', 0)[0], iif(isnotempty(SrcIP_s), SrcIP_s, "N/A")), iif(isnotempty(SrcIP_s), SrcIP_s, split(SrcPublicIPs_s, '|', 0)[0])),
DestinationIP = case(FlowDirection_s == "I", case(FlowType_s in ("AzurePublic", "ExternalPublic"), iif(isnotempty(VMIP_s), VMIP_s, "N/A"), DestIP_s), iif(isnotempty(DestIP_s), DestIP_s, split(DestPublicIPs_s, '|', 0)[0])),
DestinationPort=DestPort_d,
DestVMName = case(FlowDirection_s == "I", iif(isnotempty(VM_s), split(VM_s, '/', 1)[0], "N/A"), "N/A")
QUERY
severity = 2
frequency = 5
time_window = 5
trigger {
operator = "GreaterThan"
threshold = 0
}
tags = local.tags
}