What Changed
The AS-Checkmarx-Audit-Ingestion Playbook has been significantly reworked across its Logic App and deployment templates:
- Pagination/loop logic fixed: The PR description explicitly states loop optimization and pagination improvements. Prior loop logic may have caused incomplete ingestion of Checkmarx audit events when results exceeded a single API page – audit events beyond the first page would have been silently dropped.
- Deployment collapsed from 4 steps to 1: Previously, deployers had to separately provision the custom log table, DCE, DCR, and Logic App in sequence. The updated azuredeploy.json ARM template now provisions all resources (custom table CheckmarxAuditEvents_CL, DCE, DCR, Key Vault API connection, Logic App, and RBAC role assignments) in a single deployment.
- Configurable lookback window added: A new LookbackDays parameter (default: 2) controls the daily ingestion window. Initial backfill can be set up to 365 days (Checkmarx retention maximum), then reduced for steady-state. Previously the lookback window was not user-configurable.
- RBAC enforced on Key Vault access: The deployment now requires Azure RBAC permission model on the target Key Vault. Tenants still using legacy Vault Access Policies must manually migrate before the Playbook can retrieve the Checkmarx secret. The README now documents this explicitly and provides migration steps.
- Role assignments automated: The ARM template now automatically assigns Key Vault Secrets User to the Logic App managed identity and Monitoring Metrics Publisher on the Audit DCR – previously these were manual post-deployment steps prone to misconfiguration.
- Deployment parameter surface updated: Subscription ID and Resource group inputs for the workspace have been removed; the workspace Resource ID alone is now sufficient.
Security Impact
Teams that deployed the original multi-step Playbook should assess whether the pagination bug caused audit event gaps in CheckmarxAuditEvents_CL. The LookbackDays parameter (set to a high value such as 180-365 on first run after upgrading) can be used to backfill missed events within Checkmarx retention limits.
The RBAC enforcement means any deployment relying on legacy Vault Access Policies will fail to retrieve the Checkmarx credential at runtime – resulting in zero audit event ingestion with no alerting. Review Key Vault access configuration before upgrading.
PR discussion context was unavailable, which may affect severity assessment.
Affected Files
Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditDCR.json
Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditTable.json
Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployDCE.json
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_4.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_Table_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_4.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_5.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_6.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_7.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_8.png
Playbooks/AS-Checkmarx-Audit-Ingestion/README.md
Playbooks/AS-Checkmarx-Audit-Ingestion/azuredeploy.json