Azure · Brunoga-MS · Feb 24, 2025 · Jan 30, 2025 · Jan 30, 2025 · Jan 31, 2025
@@ -1,6 +1,6 @@
 Describe 'UnitTest-ModifiedPolicies' {
   BeforeAll {
-    Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose
+    Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force # -Verbose
 
     $ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M")
     if ($ModifiedFiles -ne $null) {
@@ -132,7 +132,7 @@ Describe 'UnitTest-ModifiedPolicies' {
         $PolicyFile = Split-Path $_ -Leaf
         $PolicyMetadataName = $PolicyJson.name
         $ExcludePolicy = @()
-        $ExcludeParams = @("ALZManagementSubscriptionId", "BYOUserAssignedManagedIdentityResourceId")
+        $ExcludeParams = @("ALZManagementSubscriptionId", "BYOUserAssignedManagedIdentityResourceId", "UAMIResourceId")
         if ($PolicyMetadataName -notin $ExcludePolicy) {
           $PolicyParameters = $PolicyJson.properties.parameters
           if ($PolicyParameters | Get-Member -MemberType NoteProperty) {
@@ -144,7 +144,7 @@ Describe 'UnitTest-ModifiedPolicies' {
               if ($key -notin $ExcludeParams) {
                 $defaultValue = $PolicyParameters.$key | Get-Member -MemberType NoteProperty | Where-Object Name -EQ "defaultValue"
                 # Write-Warning "$($PolicyFile) - Parameter: $($key) - Default Value: $($defaultValue)"
-                $PolicyParameters.$key.defaultValue | Should -Not  -Because "the [defaultValue] for parameter [$key] is empty."
+                $PolicyParameters.$key.defaultValue | Should -Not -BeNullOrEmpty -Because "the [defaultValue] for parameter [$key] is empty."
               }
             }
           }

@@ -26,7 +26,7 @@
     jobs:
       check-policy:
         name: Check Policy Build
-        runs-on: ubuntu-latest
+        runs-on: windows-latest
 
         steps:
           - name: Check out repository

@@ -0,0 +1,48 @@
+---
+title: Secure log search alert queries with Customer-managed key
+geekdocCollapseSection: true
+geekdocHidden: true
+weight: 79
+---
+
+### In this page
+
+> [Overview](../Customer_managed_key_for_log_search_alerts#overview) </br>
+> [How this feature works](../Customer_managed_key_for_log_search_alerts#how-this-feature-works) </br>
+
+## Overview
+
+The query language used in Log Analytics is expressive and can contain sensitive information in comments, or in the query syntax. Despite all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK), some organizations might require that such information is kept protected under Customer-managed key policy. For this reason, you need to save your queries encrypted with your key. Azure Monitor enables you to store saved queries and log search alerts encrypted with your key in your own Storage Account when linked to your workspace. Check guidance and considerations in the following article: [Azure Monitor customer-managed keys](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal).
+
+![Alert Rule](../../media/cmk_alertrule.png)
+
+## How this feature works
+
+{{< hint type=Info >}}
+**This feature is applicable only to log-search alerts.**
+{{< /hint >}}
+
+The **Require a workspace linked storage** option in the query alert rule controls whether this scheduled query rule should be stored in the customer's storage. To control this option in the AMBA-ALZ pattern, we use the ***checkWorkspaceAlertsStorageConfigured*** parameter with a **default value of 'false'**. More information in the following article: [Scheduled Query Rules](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/scheduledqueryrules?pivots=deployment-language-bicep)
+
+To change the **checkWorkspaceAlertsStorageConfigured** flag to **'true'**, navigate to:
+
+- [alzArm.param.json](https://github.com/azure/azure-monitor-baseline-alerts/blob/2025-02-05/patterns/alz/alzArm.param.json) for the latest release.
+- [alzArm.param.json](https://github.com/azure/azure-monitor-baseline-alerts/blob/main/patterns/alz/alzArm.param.json) for the main branch.
+- change parameters value where name contains *checkWorkspaceAlertsStorageConfigured* to *true*
+  ![Parameter file](../../media/cmk_parameter.png)
+
+{{< hint type=IMPORTANT >}}
+An alert rule won't be created if the Log Analytics workspace doesn't have a configured linked storage account.
+{{< /hint >}}
+
+Enabling this feature without a linked storage account, will cause the remediation task to fail
+
+  ![remediation task error](../../media/cmk_remediation_task_error.png)
+
+with an error message similar to the following one:
+
+  ![remediation task error message](../../media/cmk_remediation_task_error_message.png)
+
+As consequence, <ins>***no alert rule for the given policy will be created***</ins> and the corresponding policy definition will show as ***Non-compliant***. See the image below
+
+  ![Policy compliance](../../media/cmk_alert_rule_error.png)