Secure log search alert queries with Customer-managed key
The query language used in Log Analytics is expressive and can contain sensitive information in comments, or in the query syntax. Despite all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK), some organizations might require that such information is kept protected under Customer-managed key policy. For this reason, you need to save your queries encrypted with your key. Azure Monitor enables you to store saved queries and log search alerts encrypted with your key in your own Storage Account when linked to your workspace. Check guidance and considerations in the following article: Azure Monitor customer-managed keys.
This feature is applicable only to log-search alerts.
The Require a workspace linked storage option in the query alert rule controls whether this scheduled query rule should be stored in the customer’s storage. To control this option in the AMBA-ALZ pattern, we use the checkWorkspaceAlertsStorageConfigured parameter with a default value of ‘false’. More information in the following article: Scheduled Query Rules
To change the checkWorkspaceAlertsStorageConfigured flag to ’true’, navigate to:
- alzArm.param.json for the latest release.
- alzArm.param.json for the main branch.
- change parameters value where name contains checkWorkspaceAlertsStorageConfigured to true
An alert rule won’t be created if the Log Analytics workspace doesn’t have a configured linked storage account.
Enabling this feature without a linked storage account, will cause the remediation task to fail
with an error message similar to the following one:
As consequence, no alert rule for the given policy will be created and the corresponding policy definition will show as Non-compliant. See the image below
