@Alexandre Ribeiro do Nascimento @Monalla-MSFT The issue has been resolved . a regression bug that was introduced in an API update. The policy isn't the problem, problem was with the resource provider and their API. The issue can be closed.
Bug in built-in activity log alert should exist policies
We use the following built-in policies to ensure activity log alerts are created for certain operations:
https://www.azadvertizer.net/azpolicyadvertizer/b954148f-4c11-4c38-8221-be76711e194a.html
https://www.azadvertizer.net/azpolicyadvertizer/c5447c04-a4d7-4ba8-a263-c9ee321a6858.html
https://www.azadvertizer.net/azpolicyadvertizer/3b980d31-7904-4bb7-8575-5665739a8052.html
Since some time they policies all become non-compliant despite the fact that the necessary alerts are created.
- To reproduce this issue assign one of these policies e.g. 'An activity log alert should exist for specific Security operations' with a specific operation for instance 'Microsoft.Security/securitySolutions/write' to a subscription that does not contain an alert yet with a condition for this category/operation.
- After policy assignment evaluation is started the policy and subscription become non-compliant
- Create an activity log alert in the subscription the category Security and operation '"Microsoft.Security/securitySolutions/write'
- Wait until policy evaluation has run. Eventually trigger it by running az command 'az policy state trigger-scan' on the specific subscription.
- Both the policy and the resource remain non-compliant which is not expected behavior.
- Details about the non-compliancy reason are shown below in the first screenshot.
It seems to be caused by the type in the details section on which the existinceCondtion is run.
I also created a copy of this built-in policy and stripped the existinceCondition to a minimal but it still remains non-compliant see second screenshot. So my assumption is that it has something to do with the details type 'Microsoft.Insights/activityLogAlerts'.
2 answers
Sort by: Most helpful
-
-
Monalla-MSFT 13,031 Reputation points
2023-11-27T13:05:31.23+00:00 @neok-g - Thanks for reaching out to us and glad to hear that the issue is resolved for you. I have got confirmation from the product team as well on the same that they have fixed this bug in an API update that they made recently.
Hope this helps. and please feel free to reach out if you have any further questions.
Please don't forget to "Accept as Answer" and click "Yes" if the above response is helpful, so it can be beneficial to the community. .