Release/v0.3.0 (#8)

Author: misraved

CHANGELOG.md

@@ -1,3 +1,12 @@
+## v0.3.0 [2025-03-03]
+
+_Enhancements_
+
+- Added `title`, `description`, and `folder = "Account"` tag to `Activity Dashboard` queries for improved organization and clarity. ([#7](https://github.com/turbot/tailpipe-mod-azure-activity-log-detections/pull/7))
+- Removed `title` and added `folder = "Hidden"` tag to `Root User Activity Report` queries to streamline visibility. ([#7](https://github.com/turbot/tailpipe-mod-azure-activity-log-detections/pull/7))
+- Added `folder = "<service>"` tag to `service common tag locals` for better query categorization. ([#7](https://github.com/turbot/tailpipe-mod-azure-activity-log-detections/pull/7))
+- Standardized all queries to use `service common tags`, ensuring consistency across detection queries. ([#7](https://github.com/turbot/tailpipe-mod-azure-activity-log-detections/pull/7))
+
 ## v0.2.0 [2025-02-06]
 
 _Enhancements_

dashboards/activity_dashboard.pp

@@ -68,18 +68,24 @@
 # -----------------------------
 
 query "activity_dashboard_total_logs" {
-  title = "Log Count"
+  title       = "Log Count"
+  description = "Count the total log entries."
 
   sql = <<-EOQ
     select
       count(*) as "Total Logs"
     from
       azure_activity_log;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_resource_group" {
-  title = "Logs by Resource Group"
+  title       = "Logs by Resource Group"
+  description = "Count log entries grouped by resource group."
 
   sql = <<-EOQ
     select
@@ -95,10 +101,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_subscription" {
-  title = "Logs by Subscription"
+  title       = "Logs by Subscription"
+  description = "Count log entries grouped by subscription."
 
   sql = <<-EOQ
     select
@@ -114,10 +125,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_actor" {
-  title = "Top 10 Actors"
+  title       = "Top 10 Actors"
+  description = "List the top 10 actors by frequency of log entries."
 
   sql = <<-EOQ
     select
@@ -133,10 +149,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_source_ip" {
-  title = "Top 10 Source IPs"
+  title       = "Top 10 Source IPs"
+  description = "List the top 10 source IPs by frequency of log entries."
 
   sql = <<-EOQ
     select
@@ -152,10 +173,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_service" {
-  title = "Top 10 Service"
+  title       = "Top 10 Service"
+  description = "List the top 10 services by frequency of log entries."
 
   sql = <<-EOQ
     select
@@ -171,10 +197,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }
 
 query "activity_dashboard_logs_by_event" {
-  title = "Top 10 Events"
+  title       = "Top 10 Events"
+  description = "List the top 10 events by frequency of log entries."
 
   sql = <<-EOQ
     select
@@ -190,4 +221,8 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Subscription"
+  }
 }

detections/automation.pp

@@ -1,5 +1,6 @@
 locals {
   automation_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Automation"
     service = "Azure/Automation"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.automation_common_tags
 }

detections/compute.pp

@@ -1,5 +1,6 @@
 locals {
   compute_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Compute"
     service = "Azure/Compute"
   })
 }
@@ -71,6 +72,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_disk_deleted" {
@@ -85,6 +88,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_snapshot_deleted" {
@@ -99,4 +104,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }

detections/container_registry.pp

@@ -1,5 +1,6 @@
 locals {
   container_registry_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Container Registry"
     service = "Azure/ContainerRegistry"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.container_registry_common_tags
 }

detections/event_hub.pp

@@ -1,5 +1,6 @@
 locals {
   event_hub_registry_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Event Hub"
     service = "Azure/EventHub"
   })
 }
@@ -56,6 +57,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.event_hub_registry_common_tags
 }
 
 query "event_hub_namespace_deleted" {
@@ -70,4 +73,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.event_hub_registry_common_tags
 }

detections/front_door.pp

@@ -1,5 +1,6 @@
 locals {
   front_door_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Front Door"
     service = "Azure/FrontDoor"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp DESC;
   EOQ
+
+  tags = local.front_door_common_tags
 }

detections/iam.pp

@@ -1,5 +1,6 @@
 locals {
   iam_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "IAM"
     service = "Azure/IAM"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.iam_common_tags
 }

detections/key_vault.pp

@@ -1,5 +1,6 @@
 locals {
   key_vault_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Key Vault"
     service = "Azure/KeyVault"
   })
 }
@@ -60,6 +61,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.key_vault_common_tags
 }
 
 query "key_vault_access_policy_created_or_updated" {
@@ -74,4 +77,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.key_vault_common_tags
 }

detections/kubernetes.pp

@@ -1,5 +1,6 @@
 locals {
   kubernetes_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Kubernetes"
     service = "Azure/KubernetesService"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.kubernetes_common_tags
 }

detections/monitor.pp

@@ -1,5 +1,6 @@
 locals {
   monitor_common_tags = merge(local.azure_activity_log_detections_common_tags, {
+    folder  = "Monitor"
     service = "Azure/Monitor"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.monitor_common_tags
 }