[Rule Tuning] Azure Diagnostic Settings Deletion #5252
Description
Summary
Azure Diagnostic Settings Deletion received a high priority score this week for potential tuning. Below are notes from analyzing global telemetry.
- ~90% of alerts are from 2 separate clusters with the latest version (107) turned on
- Most of the alerts observed are from service principals and applications pertaining to these clusters
- We observed a potential regression since the last version (2 daily avg --> 168 daily avg). Note that the query logic has not been adjusted since the creation of this rule, thus the increase is not do to query logic adjustments prior to.
- No widespread cluster alerts, as stated above, mainly from 2 unique clusters.
- Last update was 27 days ago, however, last query logic adjustment was >90 days.
- Rule is identifying diagnostic setting deletion, which removes additional logging from specific resources. However, most of telemetry is from customer-managed SPs and applications that should rather be made an exception to the rule.
- Adjusting to New Terms on
azure.resource.namescopes this occurrence to the resource where diganostic settings are disabled. Note that with dynamic deployment or naming, tenants using such methods may not experience a lower FP rate, however, others will.- We should expect a volume dip from these rule changes when comparing daily avg between versions next time.
- Query logic has not been adjusted as there are no additional key:value pairs to ignore that are expected globally to trigger this alert. Most app IDs observed are not first-party.
- Adjusted rule content to be more accurate.
- Emulation with a user type has been completed for query validation.