felixzieger
commented
6 months ago Monitoring Service Principal actions would be a good place for starting this.
More concretely: If the meshPlatform module is used, we can set up an alert if one of the service principals tries to access workload level Azure RM APIs (because meshStack does not touch workload by default, hence any activity there indicates a misuse of those service principals).
We should consider including some default queries and alerts/dashboards (via Workbooks, e.g. the "Activity Logs Insights" https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-insights)
I have no strong opinion whether we should deploy them via TF or leave this to ClickOps/manual exploration. But I think providing one or two useful alerts as starting points would be helpful