From 5e4eaeb412a8d15244144cd41b0a58eb2978381b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 3 Nov 2025 15:37:07 +0000 Subject: [PATCH 1/6] initial implementation --- .../activity_log_alert_template/metadata.json | 14 ++ .../activity_log_alert_template/query.rego | 102 ++++++++++++++ .../test/negative1.tf | 21 +++ .../test/positive1.tf | 53 +++++++ .../test/positive2.tf | 133 ++++++++++++++++++ .../test/positive3.tf | 34 +++++ .../test/positive4.tf | 40 ++++++ .../test/positive5.tf | 56 ++++++++ .../test/positive_expected_result.json | 86 +++++++++++ .../terraform_azure.yaml | 4 + 10 files changed, 543 insertions(+) create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/metadata.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/query.rego create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json diff --git a/assets/queries/terraform/azure/activity_log_alert_template/metadata.json b/assets/queries/terraform/azure/activity_log_alert_template/metadata.json new file mode 100644 index 00000000000..ff4695e504c --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture 'delete security solution' events", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_activity_log_alert", + "platform": "Terraform", + "descriptionID": "b97a1065", + "cloudProvider": "azure", + "cwe": "778", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/query.rego b/assets/queries/terraform/azure/activity_log_alert_template/query.rego new file mode 100644 index 00000000000..d37de3f4f22 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/query.rego @@ -0,0 +1,102 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +filter_fields := ["caller", "level", "levels", "status", "statuses", "sub_status", "sub_statuses"] + +CxPolicy[result] { + resources := {input.document[index].id : log_alerts | + log_alerts := input.document[index].resource.azurerm_monitor_activity_log_alert + } + + value := at_least_one_valid_log_alert(resources) + value.result != "has_valid_log" + + results := get_results(value)[_] + + result := { + "documentId": results.doc_id, + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": tf_lib.get_resource_name(results.resource, results.name), + "searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "keyActualValue": results.keyActualValue, + "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], []) + } +} + +at_least_one_valid_log_alert(resources) = {"result" : "has_valid_log"} { + resources[doc_index][x].criteria.category == "Administrative" + resources[doc_index][x].criteria.operation_name == "Microsoft.Security/securitySolutions/delete" + not has_filter(resources[doc_index][x].criteria) + common_lib.valid_key(resources[doc_index][x].action, "action_group_id") + +} else = {"result" : "has_log_without_action", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Security/securitySolutions/delete" + not has_filter(resource.criteria)} + } + logs[_] != {} + +} else = {"result" : "has_log_with_filter", "logs": logs} { + logs := {doc_index: filtered | + resources[doc_index] + filtered := {key: resource | + resource := resources[doc_index][key] + resource.criteria.category == "Administrative" + resource.criteria.operation_name == "Microsoft.Security/securitySolutions/delete"} + } + logs[_] != {} + +} else = {"result" : "has_invalid_logs_only", "logs": resources} + +get_results(value) = results { # Case of one or more resources failing due to not setting an "action.action_group_id" field + value.result == "has_log_without_action" + + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", [name]) + }] + +} else = results { # Case of one or more resources failing due to setting filter(s) + value.result == "has_log_with_filter" + + results := [z | + filters = get_filters(value.logs[doc_id][name].criteria) + z := { + "doc_id" : doc_id, + "resource" : value.logs[doc_id][name], + "name" : name, + "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete security solution' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)]) + }] + +} else = results { # Case of all resources failing due to invalid category and/or operation_name + results := [z | + log := value.logs[doc_id][name] + z := { + "doc_id" : doc_id, + "resource" : log, + "name" : name, + "keyActualValue" : "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'delete security solution' events" + }] +} + +has_filter(criteria) { + common_lib.valid_key(criteria, filter_fields[_]) +} + +get_filters(criteria) = [x | + y := filter_fields[_] + common_lib.valid_key(criteria, y) + x := y +] diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf new file mode 100644 index 00000000000..264ceb29d16 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf @@ -0,0 +1,21 @@ +resource "azurerm_monitor_activity_log_alert" "negative1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Negative sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + + webhook_properties = { + from = "terraform" + } + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf new file mode 100644 index 00000000000..7c76a14ef40 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf @@ -0,0 +1,53 @@ +resource "azurerm_monitor_activity_log_alert" "positive1_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive1_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Policy" # wrong category + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf new file mode 100644 index 00000000000..1dbef61cb79 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf @@ -0,0 +1,133 @@ +# Case of correct "operation_name" and "category" but a type of filter is set +resource "azurerm_monitor_activity_log_alert" "positive2_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + level = "Informational" # filters by level + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + levels = ["Informational", "Warning"] # filters by levels + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_4" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_5" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + statuses = ["Succeeded", "Failed"] # filters by statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_6" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + sub_status = "Accepted" # filters by sub_status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive2_7" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf new file mode 100644 index 00000000000..38eb4dc3407 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf @@ -0,0 +1,34 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + } + + # Missing action +} + +resource "azurerm_monitor_activity_log_alert" "positive3_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + } + + action { + # Missing action_group_id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf new file mode 100644 index 00000000000..7717d0522cc --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf @@ -0,0 +1,40 @@ + +# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" +resource "azurerm_monitor_activity_log_alert" "positive4_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive4_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf b/assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf new file mode 100644 index 00000000000..638a0a3ad4d --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf @@ -0,0 +1,56 @@ + +# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others +resource "azurerm_monitor_activity_log_alert" "positive5_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + } + + # Missing action block +} + +resource "azurerm_monitor_activity_log_alert" "positive5_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} + +resource "azurerm_monitor_activity_log_alert" "positive5_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json new file mode 100644 index 00000000000..9f7c352a329 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json @@ -0,0 +1,86 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 44, + "fileName": "positive1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 66, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 85, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 104, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 123, + "fileName": "positive2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 25, + "fileName": "positive3.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive4.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive5.tf" + } +] diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 407c810f4d1..71dbe407481 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Sensitive Port Is Exposed To Wide Private Network observations: "" change: 5 + - queryId: b97a1065-a86b-442f-86c4-f95afd9b3ac6 + queryName: Beta - Activity Log Alert For Delete Security Solution + observations: "" + change: 2 From 50f54edff5556f23db7aa57986eabc242f603992 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 3 Nov 2025 15:44:47 +0000 Subject: [PATCH 2/6] fix query folder name --- .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive2.tf | 0 .../test/positive3.tf | 0 .../test/positive4.tf | 0 .../test/positive5.tf | 0 .../test/positive_expected_result.json | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/metadata.json (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/query.rego (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/negative1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive3.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive4.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive5.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_template => activity_log_alert_for_delete_security_solution}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/azure/activity_log_alert_template/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/metadata.json similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/metadata.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/metadata.json diff --git a/assets/queries/terraform/azure/activity_log_alert_template/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/query.rego rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/negative1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive3.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive4.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive5.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_template/test/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json From 238bf1e3a268e1ef2a0b6286a16f2b77af3848dc Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 4 Nov 2025 12:18:01 +0000 Subject: [PATCH 3/6] adjusted tests for correct per project scope --- .../test/negative1.tf | 2 +- .../positive2_1.tf} | 57 ---------------- .../positive2_2.tf} | 20 +++--- .../positive2/positive_expected_result.json | 44 +++++++++++++ .../test/positive3/positive3_1.tf | 16 +++++ .../positive3_2.tf} | 16 ----- .../positive3/positive_expected_result.json | 14 ++++ .../test/positive4/positive4_1.tf | 21 ++++++ .../test/positive4/positive4_2.tf | 17 +++++ .../positive4/positive_expected_result.json | 8 +++ .../positive5_1.tf} | 19 +++--- .../test/positive5/positive5_2.tf | 17 +++++ .../positive5/positive_expected_result.json | 8 +++ .../test/positive_expected_result.json | 66 ------------------- 14 files changed, 164 insertions(+), 161 deletions(-) rename assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/{positive2.tf => positive2/positive2_1.tf} (57%) rename assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/{positive5.tf => positive2/positive2_2.tf} (66%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf rename assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/{positive3.tf => positive3/positive3_2.tf} (55%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json rename assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/{positive4.tf => positive5/positive5_1.tf} (78%) create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf create mode 100644 assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf index 264ceb29d16..eca53013779 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf @@ -7,7 +7,7 @@ resource "azurerm_monitor_activity_log_alert" "negative1" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Security/securitySolutions/delete" + operation_name = "operation_value" category = "Administrative" } diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_1.tf similarity index 57% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_1.tf index 1dbef61cb79..6b1bc8ecc63 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_1.tf @@ -74,60 +74,3 @@ resource "azurerm_monitor_activity_log_alert" "positive2_4" { action_group_id = azurerm_monitor_action_group.main.id } } - -resource "azurerm_monitor_activity_log_alert" "positive2_5" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Security/securitySolutions/delete" - category = "Administrative" - statuses = ["Succeeded", "Failed"] # filters by statuses - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} - -resource "azurerm_monitor_activity_log_alert" "positive2_6" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Security/securitySolutions/delete" - category = "Administrative" - sub_status = "Accepted" # filters by sub_status - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} - -resource "azurerm_monitor_activity_log_alert" "positive2_7" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Security/securitySolutions/delete" - category = "Administrative" - sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses - } - - action { - action_group_id = azurerm_monitor_action_group.main.id - } -} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_2.tf similarity index 66% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_2.tf index 638a0a3ad4d..8a170f11693 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_2.tf @@ -1,6 +1,4 @@ - -# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others -resource "azurerm_monitor_activity_log_alert" "positive5_1" { +resource "azurerm_monitor_activity_log_alert" "positive2_5" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -11,12 +9,15 @@ resource "azurerm_monitor_activity_log_alert" "positive5_1" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" + statuses = ["Succeeded", "Failed"] # filters by statuses } - # Missing action block + action { + action_group_id = azurerm_monitor_action_group.main.id + } } -resource "azurerm_monitor_activity_log_alert" "positive5_2" { +resource "azurerm_monitor_activity_log_alert" "positive2_6" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -27,9 +28,7 @@ resource "azurerm_monitor_activity_log_alert" "positive5_2" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" - caller = "admin@contoso.com" # filters by caller - level = "Informational" # filters by level - status = "Succeeded" # filters by status + sub_status = "Accepted" # filters by sub_status } action { @@ -37,7 +36,7 @@ resource "azurerm_monitor_activity_log_alert" "positive5_2" { } } -resource "azurerm_monitor_activity_log_alert" "positive5_3" { +resource "azurerm_monitor_activity_log_alert" "positive2_7" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -46,8 +45,9 @@ resource "azurerm_monitor_activity_log_alert" "positive5_3" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" + sub_statuses = ["Accepted", "Conflict"] # filters by sub_statuses } action { diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json new file mode 100644 index 00000000000..d905e85a95d --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json @@ -0,0 +1,44 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 66, + "fileName": "positive2_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 27, + "fileName": "positive2_2.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 46, + "fileName": "positive2_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf new file mode 100644 index 00000000000..449b26dbcb2 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf @@ -0,0 +1,16 @@ +# Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing +resource "azurerm_monitor_activity_log_alert" "positive3_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + } + + # Missing action +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_2.tf similarity index 55% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_2.tf index 38eb4dc3407..1c0c21b22a6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_2.tf @@ -1,20 +1,4 @@ # Case of correct "operation_name" and "category" but the "action.action_group_id" field is missing -resource "azurerm_monitor_activity_log_alert" "positive3_1" { - name = "example-activitylogalert" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - scopes = [azurerm_resource_group.example.id] - description = "Positive sample" - - criteria { - resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Security/securitySolutions/delete" - category = "Administrative" - } - - # Missing action -} - resource "azurerm_monitor_activity_log_alert" "positive3_2" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json new file mode 100644 index 00000000000..a267ff2c4fb --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json @@ -0,0 +1,14 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_1.tf" + }, + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3_2.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf new file mode 100644 index 00000000000..ee7a762d18d --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf @@ -0,0 +1,21 @@ +# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" +resource "azurerm_monitor_activity_log_alert" "positive4_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Security/securitySolutions/delete" + category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf new file mode 100644 index 00000000000..fe894643730 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive4_2" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json new file mode 100644 index 00000000000..2efa9a3541d --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive4_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_1.tf similarity index 78% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_1.tf index 7717d0522cc..a059270b362 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_1.tf @@ -1,6 +1,5 @@ - -# Query prioritizes flagging the log alert(s) that is "correct" but has filter(s) over the ones with wrong "operation_name"/"category" -resource "azurerm_monitor_activity_log_alert" "positive4_1" { +# Query prioritizes flagging the log alert(s) that is "correct" but missing the "action_group_id" field over all others +resource "azurerm_monitor_activity_log_alert" "positive5_1" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -11,17 +10,12 @@ resource "azurerm_monitor_activity_log_alert" "positive4_1" { resource_id = azurerm_storage_account.to_monitor.id operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" - caller = "admin@contoso.com" # filters by caller - level = "Informational" # filters by level - status = "Succeeded" # filters by status } - action { - action_group_id = azurerm_monitor_action_group.main.id - } + # Missing action block } -resource "azurerm_monitor_activity_log_alert" "positive4_2" { +resource "azurerm_monitor_activity_log_alert" "positive5_2" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location @@ -30,8 +24,11 @@ resource "azurerm_monitor_activity_log_alert" "positive4_2" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" + caller = "admin@contoso.com" # filters by caller + level = "Informational" # filters by level + status = "Succeeded" # filters by status } action { diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf new file mode 100644 index 00000000000..dfe8d9f3ce9 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf @@ -0,0 +1,17 @@ +resource "azurerm_monitor_activity_log_alert" "positive5_3" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + scopes = [azurerm_resource_group.example.id] + description = "Positive sample" + + criteria { + resource_id = azurerm_storage_account.to_monitor.id + operation_name = "Microsoft.Storage/storageAccounts/write" # wrong operation name + category = "Administrative" + } + + action { + action_group_id = azurerm_monitor_action_group.main.id + } +} diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json new file mode 100644 index 00000000000..bdb66947034 --- /dev/null +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive5_1.tf" + } +] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json index 9f7c352a329..86868712f70 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json @@ -16,71 +16,5 @@ "severity": "MEDIUM", "line": 44, "fileName": "positive1.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 47, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 66, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 85, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 104, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 123, - "fileName": "positive2.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 25, - "fileName": "positive3.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive4.tf" - }, - { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.tf" } ] From ced4d1d2cdc0a7928971da78822fa5b6e35aaee2 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 4 Nov 2025 12:32:23 +0000 Subject: [PATCH 4/6] fix test --- .../test/negative1.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf index eca53013779..264ceb29d16 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf @@ -7,7 +7,7 @@ resource "azurerm_monitor_activity_log_alert" "negative1" { criteria { resource_id = azurerm_storage_account.to_monitor.id - operation_name = "operation_value" + operation_name = "Microsoft.Security/securitySolutions/delete" category = "Administrative" } From 277da9be50e9597360f96ea5872f83ac4f197d6d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 5 Nov 2025 15:13:00 +0000 Subject: [PATCH 5/6] issueType improvement --- .../query.rego | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego index d37de3f4f22..225f71a1e45 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego @@ -20,7 +20,7 @@ CxPolicy[result] { "resourceType": "azurerm_monitor_activity_log_alert", "resourceName": tf_lib.get_resource_name(results.resource, results.name), "searchKey": sprintf("azurerm_monitor_activity_log_alert[%s].criteria", [results.name]), - "issueType": "IncorrectValue", + "issueType": results.issueType, "keyExpectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", "keyActualValue": results.keyActualValue, "searchLine": common_lib.build_search_line(["resource", "azurerm_monitor_activity_log_alert", results.name, "criteria"], []) @@ -64,6 +64,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : log, + "issueType": "MissingAttribute", "name" : name, "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", [name]) }] @@ -76,6 +77,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : value.logs[doc_id][name], + "issueType": "IncorrectValue", "name" : name, "keyActualValue" : sprintf("The 'azurerm_monitor_activity_log_alert[%s]' resource monitors 'delete security solution' events but sets %d filter(s): %s", [name, count(filters),concat(", ",filters)]) }] @@ -86,6 +88,7 @@ get_results(value) = results { # Case of one or more resources failing due t z := { "doc_id" : doc_id, "resource" : log, + "issueType": "IncorrectValue", "name" : name, "keyActualValue" : "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'delete security solution' events" }] From e893fda8c2ccea337d6768e7bd65df451bd98e25 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 6 Nov 2025 10:34:55 +0000 Subject: [PATCH 6/6] query renaming --- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive2/positive2_1.tf | 0 .../test/positive2/positive2_2.tf | 0 .../test/positive2/positive_expected_result.json | 14 +++++++------- .../test/positive3/positive3_1.tf | 0 .../test/positive3/positive3_2.tf | 0 .../test/positive3/positive_expected_result.json | 4 ++-- .../test/positive4/positive4_1.tf | 0 .../test/positive4/positive4_2.tf | 0 .../test/positive4/positive_expected_result.json | 2 +- .../test/positive5/positive5_1.tf | 0 .../test/positive5/positive5_2.tf | 0 .../test/positive5/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 6 +++--- .../similarityID_transition/terraform_azure.yaml | 2 +- 18 files changed, 16 insertions(+), 16 deletions(-) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/metadata.json (96%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/query.rego (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/negative1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive2/positive2_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive2/positive2_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive2/positive_expected_result.json (85%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive3/positive3_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive3/positive3_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive3/positive_expected_result.json (85%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive4/positive4_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive4/positive4_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive4/positive_expected_result.json (85%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive5/positive5_1.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive5/positive5_2.tf (100%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive5/positive_expected_result.json (85%) rename assets/queries/terraform/azure/{activity_log_alert_for_delete_security_solution => activity_log_alert_for_delete_security_solution_not_configured}/test/positive_expected_result.json (84%) diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/metadata.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/metadata.json similarity index 96% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/metadata.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/metadata.json index ff4695e504c..518c2b16717 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/metadata.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/metadata.json @@ -1,6 +1,6 @@ { "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "category": "Observability", "descriptionText": "There should be a 'azurerm_monitor_activity_log_alert' resource configured to capture 'delete security solution' events", diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/query.rego similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/query.rego rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/query.rego diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/negative1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/negative1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/negative1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive2_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive2_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive2_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive2_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive2_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json similarity index 85% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index d905e85a95d..48cd89dddfe 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -1,42 +1,42 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 28, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 47, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 66, "fileName": "positive2_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 8, "fileName": "positive2_2.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 27, "fileName": "positive2_2.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 46, "fileName": "positive2_2.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive3_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive3_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive3_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive3_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive3_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json similarity index 85% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index a267ff2c4fb..df7ec6ee0e6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive3_1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive3_2.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive4_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive4_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive4_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive4_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive4_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json similarity index 85% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index 2efa9a3541d..0ec2da06fea 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive4_1.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_1.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive5_1.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_1.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive5_1.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive5_2.tf similarity index 100% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive5_2.tf rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive5_2.tf diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive_expected_result.json similarity index 85% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive_expected_result.json index bdb66947034..738d3241c9e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive5/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, "fileName": "positive5_1.tf" diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json similarity index 84% rename from assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json rename to assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json index 86868712f70..fe8a6b758e3 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json @@ -1,18 +1,18 @@ [ { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 8, "fileName": "positive1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 26, "fileName": "positive1.tf" }, { - "queryName": "Beta - Activity Log Alert For Delete Security Solution", + "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 44, "fileName": "positive1.tf" diff --git a/assets/similarityID_transition/terraform_azure.yaml b/assets/similarityID_transition/terraform_azure.yaml index 71dbe407481..b5d423f7409 100644 --- a/assets/similarityID_transition/terraform_azure.yaml +++ b/assets/similarityID_transition/terraform_azure.yaml @@ -4,6 +4,6 @@ similarityIDChangeList: observations: "" change: 5 - queryId: b97a1065-a86b-442f-86c4-f95afd9b3ac6 - queryName: Beta - Activity Log Alert For Delete Security Solution + queryName: Beta - Activity Log Alert For Delete Security Solution Not Configured observations: "" change: 2