---
policy: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault
logic: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
executionTime: 2026-05-02T12:04:56.813057554Z
generationMs: 79
executionMs: 2199
rows:
  - id: kv-001
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)
      actual: CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)
    runtimeError: {}
  - id: kv-002
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)
      actual: CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)
    runtimeError: {}
  - id: kv-003
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
  - id: kv-004
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
  - id: kv-005
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
usedFiles:
  - path: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/policy.yaml
    md5Hash: F90784BBD162DCC62707A3B189BCDA08
    content: |
      ---
      names:
        full: Azure Diagnostic Setting for Azure Key Vault is not enabled
        contextual: Diagnostic Setting for Azure Key Vault is not enabled
      description: Enable AuditEvent logging for key vault instances to ensure interactions
        with key vaults are logged and available.
      type: COMPLIANCE_POLICY
      categories:
        - SECURITY
      frameworkMappings:
        - "/frameworks/cis-azure-v6.0.0/06/01/01/04"
        - "/frameworks/cloudaware/logging-and-monitoring/logging-and-monitoring-configuration"
      similarPolicies:
        internal:
          - dec-x-b2ce0ca1
        cloudConformity:
          - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/enable-audit-event-logging-for-azure-key-vaults.html
            name: Enable AuditEvent Logging for Azure Key Vaults
  - path: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
    md5Hash: DF71D3FBCEC2DF921ACA5A17E1C999E3
    content: |
      ---
      inputType: "CA10__CaAzureKeyVault__c"
      testData:
        - file: "test-data.json"
      conditions:
        - status: "COMPLIANT"
          currentStateMessage: "Key Vault diagnostic logging is enabled and sent to a destination."
          check:
            RELATED_LIST_HAS:
              status: "COMPLIANT"
              relationshipName: "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r"
      otherwise:
        status: "INCOMPLIANT"
        currentStateMessage: "Key Vault diagnostic logging is not enabled and sent to a destination."
        remediationMessage: "Enable Key Vault diagnostic logging and configure a log destination."
      relatedLists:
        - relationshipName: "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r"
          importExtracts:
            - file: "/types/CA10__CaAzureDiagnosticSetting__c/object.extracts.yaml"
          conditions:
            - status: "INCOMPLIANT"
              currentStateMessage: "Key Vault diagnostic logging is not enabled for the required log categories."
              remediationMessage: "Enable the audit and allLogs category groups, or the legacy AuditEvent category."
              check:
                NOT:
                  arg:
                    OR:
                      args:
                        - JSON_QUERY_BOOLEAN:
                            arg:
                              EXTRACT: "caJsonFrom__logsJson__c"
                            expression: "contains([? category == `AuditEvent`].enabled, `true`)"
                            undeterminedIf:
                              evaluationError: "The JSON query has failed."
                              resultTypeMismatch: "The JSON query did not return boolean type."
                        - AND:
                            args:
                              - JSON_QUERY_BOOLEAN:
                                  arg:
                                    EXTRACT: "caJsonFrom__logsJson__c"
                                  expression: "contains([? categoryGroup == `audit`].enabled, `true`)"
                                  undeterminedIf:
                                    evaluationError: "The JSON query has failed."
                                    resultTypeMismatch: "The JSON query did not return boolean type."
                              - JSON_QUERY_BOOLEAN:
                                  arg:
                                    EXTRACT: "caJsonFrom__logsJson__c"
                                  expression: "contains([? categoryGroup == `allLogs`].enabled, `true`)"
                                  undeterminedIf:
                                    evaluationError: "The JSON query has failed."
                                    resultTypeMismatch: "The JSON query did not return boolean type."
            - status: "INCOMPLIANT"
              currentStateMessage: "Key Vault diagnostic logging does not have a log destination."
              remediationMessage: "Configure a Log Analytics workspace, storage account, or event hub destination."
              check:
                AND:
                  args:
                    - IS_EMPTY:
                        arg:
                          EXTRACT: "CA10__workspaceId__c"
                    - IS_EMPTY:
                        arg:
                          EXTRACT: "CA10__storageAccountId__c"
                    - IS_EMPTY:
                        arg:
                          EXTRACT: "CA10__eventHubAuthorizationRuleId__c"
          otherwise:
            status: "COMPLIANT"
            currentStateMessage: "This Key Vault diagnostic setting enables the required logs and has a configured destination."
  - path: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/test-data.json
    md5Hash: EDA4B9EF8E3FBE2E393CE4EFA232D776
    content: |
      [
        {
          "expectedResult": {
            "status": "COMPLIANT",
            "conditionIndex": "199",
            "conditionText": "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)",
            "runtimeError": null
          },
          "context": {
            "snapshotTime": "2026-04-27T00:00:00Z"
          },
          "Id": "kv-001",
          "CA10__disappearanceTime__c": null,
          "CA10__resource__c": "resource-001",
          "CA10__resource__r": {
            "Id": "resource-001",
            "CA10__Azure_Diagnostic_Settings__r": [
              {
                "Id": "diag-001",
                "RecordTypeId": "rt-resource",
                "CA10__disappearanceTime__c": null,
                "CA10__monitoredResource__c": "resource-001",
                "CA10__logsJson__c": "[{\"categoryGroup\":\"audit\",\"enabled\":true},{\"categoryGroup\":\"allLogs\",\"enabled\":true}]",
                "CA10__workspaceId__c": "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/workspace",
                "CA10__storageAccountId__c": "",
                "CA10__eventHubAuthorizationRuleId__c": "",
                "RecordType": {
                  "DeveloperName": "caDiagnosticSettingOnAzureResource",
                  "Id": "rt-resource"
                }
              }
            ]
          }
        },
        {
          "expectedResult": {
            "status": "COMPLIANT",
            "conditionIndex": "199",
            "conditionText": "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)",
            "runtimeError": null
          },
          "context": {
            "snapshotTime": "2026-04-27T00:00:00Z"
          },
          "Id": "kv-002",
          "CA10__disappearanceTime__c": null,
          "CA10__resource__c": "resource-002",
          "CA10__resource__r": {
            "Id": "resource-002",
            "CA10__Azure_Diagnostic_Settings__r": [
              {
                "Id": "diag-002",
                "RecordTypeId": "rt-resource",
                "CA10__disappearanceTime__c": null,
                "CA10__monitoredResource__c": "resource-002",
                "CA10__logsJson__c": "[{\"category\":\"AuditEvent\",\"enabled\":true}]",
                "CA10__workspaceId__c": "",
                "CA10__storageAccountId__c": "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/logs",
                "CA10__eventHubAuthorizationRuleId__c": "",
                "RecordType": {
                  "DeveloperName": "caDiagnosticSettingOnAzureResource",
                  "Id": "rt-resource"
                }
              }
            ]
          }
        },
        {
          "expectedResult": {
            "status": "INCOMPLIANT",
            "conditionIndex": "200",
            "conditionText": "otherwise",
            "runtimeError": null
          },
          "context": {
            "snapshotTime": "2026-04-27T00:00:00Z"
          },
          "Id": "kv-003",
          "CA10__disappearanceTime__c": null,
          "CA10__resource__c": "resource-003",
          "CA10__resource__r": {
            "Id": "resource-003",
            "CA10__Azure_Diagnostic_Settings__r": [
              {
                "Id": "diag-003",
                "RecordTypeId": "rt-resource",
                "CA10__disappearanceTime__c": null,
                "CA10__monitoredResource__c": "resource-003",
                "CA10__logsJson__c": "[{\"categoryGroup\":\"audit\",\"enabled\":true},{\"categoryGroup\":\"allLogs\",\"enabled\":false}]",
                "CA10__workspaceId__c": "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/workspace",
                "CA10__storageAccountId__c": "",
                "CA10__eventHubAuthorizationRuleId__c": "",
                "RecordType": {
                  "DeveloperName": "caDiagnosticSettingOnAzureResource",
                  "Id": "rt-resource"
                }
              }
            ]
          }
        },
        {
          "expectedResult": {
            "status": "INCOMPLIANT",
            "conditionIndex": "200",
            "conditionText": "otherwise",
            "runtimeError": null
          },
          "context": {
            "snapshotTime": "2026-04-27T00:00:00Z"
          },
          "Id": "kv-004",
          "CA10__disappearanceTime__c": null,
          "CA10__resource__c": "resource-004",
          "CA10__resource__r": {
            "Id": "resource-004",
            "CA10__Azure_Diagnostic_Settings__r": [
              {
                "Id": "diag-004",
                "RecordTypeId": "rt-resource",
                "CA10__disappearanceTime__c": null,
                "CA10__monitoredResource__c": "resource-004",
                "CA10__logsJson__c": "[{\"category\":\"AuditEvent\",\"enabled\":true}]",
                "CA10__workspaceId__c": "",
                "CA10__storageAccountId__c": "",
                "CA10__eventHubAuthorizationRuleId__c": "",
                "RecordType": {
                  "DeveloperName": "caDiagnosticSettingOnAzureResource",
                  "Id": "rt-resource"
                }
              }
            ]
          }
        },
        {
          "expectedResult": {
            "status": "INCOMPLIANT",
            "conditionIndex": "200",
            "conditionText": "otherwise",
            "runtimeError": null
          },
          "context": {
            "snapshotTime": "2026-04-27T00:00:00Z"
          },
          "Id": "kv-005",
          "CA10__disappearanceTime__c": null,
          "CA10__resource__c": "resource-005",
          "CA10__resource__r": {
            "Id": "resource-005",
            "CA10__Azure_Diagnostic_Settings__r": []
          }
        }
      ]
  - path: /types/CA10__CaAzureDiagnosticSetting__c/object.extracts.yaml
    md5Hash: 4AADFEBE59E43127A2529B2F0DB31297
    content: "---\nextracts:\n# Not Nullable. Can't have no access, retrieved via\
      \ Microsoft.Insights/diagnosticSettings/read\n  - name: \"CA10__logsJson__c\"\
      \n    value: \n      FIELD:\n        path: \"CA10__logsJson__c\"\n        returnType:\
      \ BYTES\n        undeterminedIf:\n          isEmpty: \"Corrupted Data. Diagnostic\
      \ Setting Logs JSON cannot be empty.\"\n  - name: \"caJsonFrom__logsJson__c\"\
      \n    value: \n      JSON_FROM:\n        arg: \n          EXTRACT: \"CA10__logsJson__c\"\
      \n        undeterminedIf:\n          isInvalid: \"Logs JSON is invalid.\"\n\
      # Nullable. Azure Log Analytics workspace\n  - name: \"CA10__workspaceId__c\"\
      \n    value: \n      FIELD:\n        path: \"CA10__workspaceId__c\"\n# Nullable.\
      \ Azure Storage Account\n  - name: \"CA10__storageAccountId__c\"\n    value:\
      \ \n      FIELD:\n        path: \"CA10__storageAccountId__c\"\n# Nullable. Azure\
      \ Event Hubs\n  - name: \"CA10__eventHubAuthorizationRuleId__c\"\n    value:\
      \ \n      FIELD:\n        path: \"CA10__eventHubAuthorizationRuleId__c\"\n"
script: |-
  CREATE TEMP FUNCTION mock_ExpectedResult()
  RETURNS ARRAY<STRUCT<
          Id STRING,
          expectedResult STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, runtimeError STRING>
      >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "Id" : "kv-001",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)",
      "runtimeError" : null
    }
  }, {
    "Id" : "kv-002",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)",
      "runtimeError" : null
    }
  }, {
    "Id" : "kv-003",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  }, {
    "Id" : "kv-004",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  }, {
    "Id" : "kv-005",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAzureKeyVault__c()
  RETURNS ARRAY<STRUCT<
      CA10__disappearanceTime__c TIMESTAMP,
      Id STRING,
      CA10__resource__c STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "kv-001",
    "CA10__resource__c" : "resource-001"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "kv-002",
    "CA10__resource__c" : "resource-002"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "kv-003",
    "CA10__resource__c" : "resource-003"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "kv-004",
    "CA10__resource__c" : "resource-004"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "kv-005",
    "CA10__resource__c" : "resource-005"
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAzureResource__c()
  RETURNS ARRAY<STRUCT<
      Id STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "resource-001"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "resource-002"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "resource-003"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "resource-004"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "resource-005"
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAzureDiagnosticSetting__c()
  RETURNS ARRAY<STRUCT<
      CA10__disappearanceTime__c TIMESTAMP,
      CA10__logsJson__c STRING,
      CA10__workspaceId__c STRING,
      CA10__storageAccountId__c STRING,
      CA10__eventHubAuthorizationRuleId__c STRING,
      CA10__monitoredResource__c STRING,
      Id STRING,
      RecordTypeId STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "CA10__logsJson__c" : "[{\"categoryGroup\":\"audit\",\"enabled\":true},{\"categoryGroup\":\"allLogs\",\"enabled\":true}]",
    "CA10__workspaceId__c" : "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/workspace",
    "CA10__storageAccountId__c" : "",
    "CA10__eventHubAuthorizationRuleId__c" : "",
    "CA10__monitoredResource__c" : "resource-001",
    "Id" : "diag-001",
    "RecordTypeId" : "rt-resource"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "CA10__logsJson__c" : "[{\"category\":\"AuditEvent\",\"enabled\":true}]",
    "CA10__workspaceId__c" : "",
    "CA10__storageAccountId__c" : "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/logs",
    "CA10__eventHubAuthorizationRuleId__c" : "",
    "CA10__monitoredResource__c" : "resource-002",
    "Id" : "diag-002",
    "RecordTypeId" : "rt-resource"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "CA10__logsJson__c" : "[{\"categoryGroup\":\"audit\",\"enabled\":true},{\"categoryGroup\":\"allLogs\",\"enabled\":false}]",
    "CA10__workspaceId__c" : "/subscriptions/sub-001/resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/workspace",
    "CA10__storageAccountId__c" : "",
    "CA10__eventHubAuthorizationRuleId__c" : "",
    "CA10__monitoredResource__c" : "resource-003",
    "Id" : "diag-003",
    "RecordTypeId" : "rt-resource"
  }, {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "CA10__logsJson__c" : "[{\"category\":\"AuditEvent\",\"enabled\":true}]",
    "CA10__workspaceId__c" : "",
    "CA10__storageAccountId__c" : "",
    "CA10__eventHubAuthorizationRuleId__c" : "",
    "CA10__monitoredResource__c" : "resource-004",
    "Id" : "diag-004",
    "RecordTypeId" : "rt-resource"
  } ];
  """;

  CREATE TEMP FUNCTION mock_RecordType()
  RETURNS ARRAY<STRUCT<
      Id STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2026-04-27T00:00:00Z")
    },
    "Id" : "rt-resource"
  } ];
  """;

  CREATE TEMP FUNCTION process_CA10__CaAzureKeyVault__c(
      obj STRUCT<
          CA10__disappearanceTime__c TIMESTAMP,
          Id STRING,
          CA10__resource__c STRING,
          CA10__resource__r STRUCT<
              Id STRING,
              CA10__Azure_Diagnostic_Settings__r ARRAY<STRUCT<
                  CA10__disappearanceTime__c TIMESTAMP,
                  CA10__logsJson__c STRING,
                  CA10__workspaceId__c STRING,
                  CA10__storageAccountId__c STRING,
                  CA10__eventHubAuthorizationRuleId__c STRING,
                  CA10__monitoredResource__c STRING,
                  Id STRING,
                  RecordTypeId STRING,
                  RecordType STRUCT<
                      Id STRING
                  >,
                  result STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
              >>
          >
      >,
      snapshotTime TIMESTAMP
  )
  RETURNS STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
      var references1 = [];
      // condition[0], conditionIndex:[0..99]
      references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c);
      if (obj.CA10__disappearanceTime__c != null) {
          return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      var count_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r_COMPLIANT2 = 0;
      if (obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r != null) {
          for (var i3 = 0; i3 < obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.length; i3++) {
              if (typeof(obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r[i3].status) !== 'undefined') {
                  if (obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r[i3].status == 'COMPLIANT') {
                      count_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r_COMPLIANT2 += obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r[i3].count;
                  }
              } else  {
                  if (obj.CA10__resource__r.CA10__Azure_Diagnostic_Settings__r[i3].result.status == 'COMPLIANT') {
                      count_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r_COMPLIANT2 += 1;
                  }
              }
          }
      }
      // condition[1], conditionIndex:[100..199]
      references1.push('Related list [CA10__resource__r.CA10__Azure_Diagnostic_Settings__r] ' + (count_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r_COMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in COMPLIANT status');
      if (count_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r_COMPLIANT2 > 0) {
          return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)", currentStateMessage: "Key Vault diagnostic logging is enabled and sent to a destination.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      return {status: 'INCOMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "Key Vault diagnostic logging is not enabled and sent to a destination.", currentStateReferences: references1.join('\n'), remediation: "Enable Key Vault diagnostic logging and configure a log destination.", runtimeError: null};
  """;

  CREATE TEMP FUNCTION process_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r(
      obj STRUCT<
          CA10__disappearanceTime__c TIMESTAMP,
          CA10__logsJson__c STRING,
          CA10__workspaceId__c STRING,
          CA10__storageAccountId__c STRING,
          CA10__eventHubAuthorizationRuleId__c STRING,
          CA10__monitoredResource__c STRING,
          Id STRING,
          RecordTypeId STRING,
          RecordType STRUCT<
              Id STRING
          >
      >,
      snapshotTime TIMESTAMP
  )
  RETURNS STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
  DETERMINISTIC
  LANGUAGE js
  OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js'])
  AS r"""
  var TextLib = new function () {
      this.normalize = function(arg) {
          return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase();
      };
      this.isEmpty = function(arg) {
          return this.normalize(arg) == '';
      };
      this.isNotEmpty = function(arg) {
          return this.normalize(arg) != '';
      };
      this.equal = function(left, right) {
          return this.normalize(left) == this.normalize(right);
      };
      this.notEqual = function(left, right) {
          return this.normalize(left) != this.normalize(right);
      };
      this.startsWith = function(arg, substring) {
          return this.normalize(arg).startsWith(this.normalize(substring));
      };
      this.endsWith = function(arg, substring) {
          return this.normalize(arg).endsWith(this.normalize(substring));
      };
      this.contains = function(arg, substring) {
          return this.normalize(arg).includes(this.normalize(substring));
      };
      this.containsAll = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.every(sub => normalizedArg.includes(this.normalize(sub)));
      };
      this.containsAny = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.some(sub => normalizedArg.includes(this.normalize(sub)));
      };
  }();
  var BytesLib = new function () {
      this.normalize = function(arg) {
          return arg == null ? '' : arg;
      };
      this.isEmpty = function(arg) {
          return this.normalize(arg) == '';
      };
      this.isNotEmpty = function(arg) {
          return this.normalize(arg) != '';
      };
      this.equal = function(left, right) {
          return this.normalize(left) == this.normalize(right);
      };
      this.notEqual = function(left, right) {
          return this.normalize(left) != this.normalize(right);
      };
      this.startsWith = function(arg, substring) {
          return this.normalize(arg).startsWith(this.normalize(substring));
      };
      this.endsWith = function(arg, substring) {
          return this.normalize(arg).endsWith(this.normalize(substring));
      };
      this.contains = function(arg, substring) {
          return this.normalize(arg).includes(this.normalize(substring));
      };
      this.containsAll = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.every(sub => normalizedArg.includes(this.normalize(sub)));
      };
      this.containsAny = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.some(sub => normalizedArg.includes(this.normalize(sub)));
      };
  }();
      var references1 = [];
      // condition[0], conditionIndex:[0..99]
      references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c);
      if (obj.CA10__disappearanceTime__c != null) {
          return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      // condition[1], conditionIndex:[100..199]
      function jsonQueryChecked2() {
          var input = extract4.call(extract4);
          var out;
          try {
              out = jmespath.search(input, 'contains([? category == `AuditEvent`].enabled, `true`)');
          if (out != null && typeof out != 'boolean') {
              throw new Error("UNDETERMINED condition:103", {cause: {status: 'UNDETERMINED', conditionIndex: 103, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? category == `AuditEvent`].enabled, `true`)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return boolean type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          } catch (e) {
              throw new Error("UNDETERMINED condition:104", {cause: {status: 'UNDETERMINED', conditionIndex: 104, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? category == `AuditEvent`].enabled, `true`)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}});
          }
          return out;
      }
      function jsonChecked5() {
          var input = extract7.call(extract7);
          input = TextLib.isEmpty(input) ? null : input;
          var out;
          try {
              out = JSON.parse(input);
          } catch (e) {
              throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "extract('CA10__logsJson__c').asJson().isInvalid()", currentStateMessage: "Logs JSON is invalid.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}});
          }
          return out;
      }
      function fieldChecked8() {
          if (BytesLib.isEmpty(obj.CA10__logsJson__c)) {
              throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__logsJson__c.isEmpty()", currentStateMessage: "Corrupted Data. Diagnostic Setting Logs JSON cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          return obj.CA10__logsJson__c;
      }
      function extract7() { if (!this.out) { this.out = fieldChecked8(); } return this.out; };
      function extract4() { if (!this.out) { this.out = jsonChecked5(); } return this.out; };
      function jsonQueryChecked9() {
          var input = extract4.call(extract4);
          var out;
          try {
              out = jmespath.search(input, 'contains([? categoryGroup == `audit`].enabled, `true`)');
          if (out != null && typeof out != 'boolean') {
              throw new Error("UNDETERMINED condition:105", {cause: {status: 'UNDETERMINED', conditionIndex: 105, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `audit`].enabled, `true`)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return boolean type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          } catch (e) {
              throw new Error("UNDETERMINED condition:106", {cause: {status: 'UNDETERMINED', conditionIndex: 106, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `audit`].enabled, `true`)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}});
          }
          return out;
      }
      function jsonQueryChecked11() {
          var input = extract4.call(extract4);
          var out;
          try {
              out = jmespath.search(input, 'contains([? categoryGroup == `allLogs`].enabled, `true`)');
          if (out != null && typeof out != 'boolean') {
              throw new Error("UNDETERMINED condition:107", {cause: {status: 'UNDETERMINED', conditionIndex: 107, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `allLogs`].enabled, `true`)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return boolean type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          } catch (e) {
              throw new Error("UNDETERMINED condition:108", {cause: {status: 'UNDETERMINED', conditionIndex: 108, conditionText: "extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `allLogs`].enabled, `true`)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}});
          }
          return out;
      }
      references1.push('Logs JSON [obj.CA10__logsJson__c]: ' + obj.CA10__logsJson__c);
      try {
          if (!(jsonQueryChecked2() || (jsonQueryChecked9() && jsonQueryChecked11()))) {
              return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "not(extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? category == `AuditEvent`].enabled, `true`)') || (extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `audit`].enabled, `true`)') && extract('caJsonFrom__logsJson__c').jsonQueryText('contains([? categoryGroup == `allLogs`].enabled, `true`)')))", currentStateMessage: "Key Vault diagnostic logging is not enabled for the required log categories.", currentStateReferences: references1.join('\n'), remediation: "Enable the audit and allLogs category groups, or the legacy AuditEvent category.", runtimeError: null};
          }
      } catch (err) {
          if (err.cause && err.cause.status) { return err.cause; } else { throw err; }
      }
      // condition[2], conditionIndex:[200..299]
      function extract14() { if (!this.out) { this.out = obj.CA10__workspaceId__c; } return this.out; };
      function extract17() { if (!this.out) { this.out = obj.CA10__storageAccountId__c; } return this.out; };
      function extract20() { if (!this.out) { this.out = obj.CA10__eventHubAuthorizationRuleId__c; } return this.out; };
      references1.push('Workspace ID [obj.CA10__workspaceId__c]: ' + obj.CA10__workspaceId__c);
      references1.push('Storage Account ID [obj.CA10__storageAccountId__c]: ' + obj.CA10__storageAccountId__c);
      references1.push('Event Hub Authorizartion Rule ID [obj.CA10__eventHubAuthorizationRuleId__c]: ' + obj.CA10__eventHubAuthorizationRuleId__c);
      if (TextLib.isEmpty(extract14.call(extract14)) && TextLib.isEmpty(extract17.call(extract17)) && TextLib.isEmpty(extract20.call(extract20))) {
          return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__workspaceId__c').isEmpty() && extract('CA10__storageAccountId__c').isEmpty() && extract('CA10__eventHubAuthorizationRuleId__c').isEmpty()", currentStateMessage: "Key Vault diagnostic logging does not have a log destination.", currentStateReferences: references1.join('\n'), remediation: "Configure a Log Analytics workspace, storage account, or event hub destination.", runtimeError: null};
      }
      return {status: 'COMPLIANT', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "This Key Vault diagnostic setting enables the required logs and has a configured destination.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
  """;


  SELECT
    expectedResult.Id as Id,
    IF (
      IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '')
      AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1)
      AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '')
      AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''),
      "MATCH",
      "FAIL"
    ) as match,
    expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus,
    expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex,
    expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText,
    expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError
  FROM UNNEST(mock_ExpectedResult()) expectedResult
  LEFT JOIN (
      SELECT
          sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
          sObject.Id AS Id,
          sObject.CA10__resource__c AS CA10__resource__c,
          STRUCT (
              `CA10__resource__r`.Id AS Id,
              `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r`.arr AS CA10__Azure_Diagnostic_Settings__r
          ) AS CA10__resource__r,
          process_CA10__CaAzureKeyVault__c(
              STRUCT(
                  sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                  sObject.Id AS Id,
                  sObject.CA10__resource__c AS CA10__resource__c,
                  STRUCT (
                      `CA10__resource__r`.Id AS Id,
                      `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r`.arr AS CA10__Azure_Diagnostic_Settings__r
                  ) AS CA10__resource__r
              ),
              sObject.context.snapshotTime
          ) as result
      FROM UNNEST(mock_CA10__CaAzureKeyVault__c()) AS sObject
      LEFT JOIN UNNEST(mock_CA10__CaAzureResource__c()) AS `CA10__resource__r`
          ON sObject.CA10__resource__c = `CA10__resource__r`.Id
      LEFT JOIN (
          SELECT
              sObject.CA10__monitoredResource__c,
              ARRAY_AGG(
                  STRUCT(
                      sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                      sObject.CA10__logsJson__c AS CA10__logsJson__c,
                      sObject.CA10__workspaceId__c AS CA10__workspaceId__c,
                      sObject.CA10__storageAccountId__c AS CA10__storageAccountId__c,
                      sObject.CA10__eventHubAuthorizationRuleId__c AS CA10__eventHubAuthorizationRuleId__c,
                      sObject.CA10__monitoredResource__c AS CA10__monitoredResource__c,
                      sObject.Id AS Id,
                      sObject.RecordTypeId AS RecordTypeId,
                      STRUCT (
                          `RecordType`.Id AS Id
                      ) AS RecordType,
                      process_CA10__resource__r_CA10__Azure_Diagnostic_Settings__r(
                          STRUCT(
                              sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                              sObject.CA10__logsJson__c AS CA10__logsJson__c,
                              sObject.CA10__workspaceId__c AS CA10__workspaceId__c,
                              sObject.CA10__storageAccountId__c AS CA10__storageAccountId__c,
                              sObject.CA10__eventHubAuthorizationRuleId__c AS CA10__eventHubAuthorizationRuleId__c,
                              sObject.CA10__monitoredResource__c AS CA10__monitoredResource__c,
                              sObject.Id AS Id,
                              sObject.RecordTypeId AS RecordTypeId,
                              STRUCT (
                                  `RecordType`.Id AS Id
                              ) AS RecordType
                          ),
                          sObject.context.snapshotTime
                      ) as result
                  )
              ) AS arr
          FROM UNNEST(mock_CA10__CaAzureDiagnosticSetting__c()) AS sObject
          LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType`
              ON sObject.RecordTypeId = `RecordType`.Id
          GROUP BY sObject.CA10__monitoredResource__c
      ) AS `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r`
          ON `CA10__resource__r`.Id = `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r`.CA10__monitoredResource__c
  ) sObject ON sObject.Id = expectedResult.Id;