From 7dbd12b6e2a19862844abbaebd83cea554bc0308 Mon Sep 17 00:00:00 2001 From: Divyadeep Dayal <81250915+didayal-msft@users.noreply.github.com> Date: Fri, 5 Apr 2024 01:24:26 +0530 Subject: [PATCH] US 32392 Fix Queries for AFD 1 AFD 10 and AFD 11 (#319) Co-authored-by: Robert Lightner <49571483+DaFitRobsta@users.noreply.github.com> Co-authored-by: Zach Trocinski --- .../services/networking/front-door/_index.md | 6 +-- .../front-door/code/afd-1/afd-1.kql | 31 ++++++++++++++- .../front-door/code/afd-1/afd-1.kql.fix | 3 -- .../front-door/code/afd-10/afd-10.kql | 39 +++++++++++++++++++ .../front-door/code/afd-10/afd-10.kql.fix | 4 -- .../front-door/code/afd-11/afd-11.kql | 22 ++++++++++- 6 files changed, 93 insertions(+), 12 deletions(-) delete mode 100644 docs/content/services/networking/front-door/code/afd-1/afd-1.kql.fix delete mode 100644 docs/content/services/networking/front-door/code/afd-10/afd-10.kql.fix diff --git a/docs/content/services/networking/front-door/_index.md b/docs/content/services/networking/front-door/_index.md index f460c1d62..896347078 100644 --- a/docs/content/services/networking/front-door/_index.md +++ b/docs/content/services/networking/front-door/_index.md @@ -16,7 +16,7 @@ The below table shows the list of resiliency recommendations for Front Door and {{< table style="table-striped" >}} | Recommendation | Category | Impact | State | ARG Query Available | |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:| -| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door) | Networking | High | Verified | No | +| [AFD-1 - Avoid combining Traffic Manager and Front Door](#afd-1---avoid-combining-traffic-manager-and-front-door) | Networking | High | Verified | Yes | | [AFD-2 - Restrict traffic to your origins](#afd-2---restrict-traffic-to-your-origins) | Access & Security | High | Verified | No | | [AFD-3 - Use the latest API version and SDK version](#afd-3---use-the-latest-api-version-and-sdk-version) | Networking | Medium | Verified | No | | [AFD-4 - Configure logs](#afd-4---configure-logs) | Monitoring | Medium | Verified | No | @@ -26,8 +26,8 @@ The below table shows the list of resiliency recommendations for Front Door and | [AFD-8 - Use latest version for customer-managed certificates](#afd-8---use-latest-version-for-customer-managed-certificates) | Access & Security | Medium | Verified | No | | [AFD-9 - Use the same domain name on Front Door and your origin](#afd-9---use-the-same-domain-name-on-front-door-and-your-origin) | Networking | Medium | Verified | No | | [AFD-10 - Enable the WAF](#afd-10---enable-the-waf) | Access & Security | Medium | Verified | No | -| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) | Availability | Low | Verified | No | -| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints) | Availability | Medium | Verified | No | +| [AFD-11 - Disable health probes when there is only one origin in an origin group](#afd-11---disable-health-probes-when-there-is-only-one-origin-in-an-origin-group) | Availability | Low | Verified | Yes | +| [AFD-12 - Select good health probe endpoints](#afd-12---select-good-health-probe-endpoints) | Availability | Medium | Verified | Yes | | [AFD-13 - Use HEAD health probes](#afd-13---use-head-health-probes) | System Efficiency | Medium | Verified | No | | [AFD-14 - Use geo-filtering in Azure Front Door](#afd-14---use-geo-filtering-in-azure-front-door) | Access & Security | Medium | Verified | No | | [AFD-15 - Secure your Origin with Private Link in Azure Front Door](#afd-15---secure-your-origin-with-private-link-in-azure-front-door) | Access & Security | Medium | Verified | No | diff --git a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql b/docs/content/services/networking/front-door/code/afd-1/afd-1.kql index 614a7f9ca..00518ec18 100644 --- a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql +++ b/docs/content/services/networking/front-door/code/afd-1/afd-1.kql @@ -1 +1,30 @@ -// under-development +// Azure Resource Graph Query +// Avoid combining Traffic Manager and Front Door +resources +| where type == "microsoft.network/trafficmanagerprofiles" +| mvexpand(properties.endpoints) +| extend endpoint=tostring(properties_endpoints.properties.target) +| project name, trafficmanager=id, matchname=endpoint, tags +| join ( + resources + | where type =~ "microsoft.cdn/profiles/afdendpoints" + | extend matchname= tostring(properties.hostName) + | extend splitid=split(id, "/") + | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/")) + | project name, id, matchname, frontdoorid, type + | union + (cdnresources + | where type =~ "Microsoft.Cdn/Profiles/CustomDomains" + | extend matchname= tostring(properties.hostName) + | extend splitid=split(id, "/") + | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/")) + | project name, id, matchname, frontdoorid, type) + ) + on matchname +| project + recommendationId = "afd-1", + name=split(trafficmanager, "/")[-1], + id=trafficmanager, + tags, + param1=strcat("hostname:", matchname), + param2=strcat("frontdoorid:", frontdoorid) diff --git a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql.fix b/docs/content/services/networking/front-door/code/afd-1/afd-1.kql.fix deleted file mode 100644 index 1b9387c18..000000000 --- a/docs/content/services/networking/front-door/code/afd-1/afd-1.kql.fix +++ /dev/null @@ -1,3 +0,0 @@ -resources -| where type == "microsoft.Network/trafficmanagerprofiles" or type == "microsoft.cdn/profiles" -| project recommendationId = "afd-1", name, id diff --git a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql b/docs/content/services/networking/front-door/code/afd-10/afd-10.kql index 614a7f9ca..6f29031ca 100644 --- a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql +++ b/docs/content/services/networking/front-door/code/afd-10/afd-10.kql @@ -1 +1,40 @@ // under-development +// Azure Resource Graph Query +// AFD-10 - Enable the WAF + +resources +| where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor" +| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) +| join kind= fullouter ( + cdnresources + | where type == "microsoft.cdn/profiles/securitypolicies" + | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) + | extend splitid=split(id, "/") + | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/")) + | project secpolname=name, cdnprofileid, wafpolicyid + ) + on cdnprofileid +| project name, cdnprofileid, secpolname, wafpolicyid,skuname +| join kind = fullouter ( + resources + | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies" + | extend + managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false), + enabledState = tostring(properties.policySettings.enabledState) + | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) + ) + on wafpolicyid +| where name != "" +| summarize + associatedsecuritypolicies=countif(secpolname != ""), + wafswithmanagedrules=countif(managedrulesenabled == 1) + by name, id=cdnprofileid, tags,skuname +| where associatedsecuritypolicies == 0 or wafswithmanagedrules == 0 +| project + recommendationId = "afd-10", + name, + id, + todynamic(tags), + param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies), + param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules), + param3 = strcat("skuname:",skuname) diff --git a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql.fix b/docs/content/services/networking/front-door/code/afd-10/afd-10.kql.fix deleted file mode 100644 index a438d6a60..000000000 --- a/docs/content/services/networking/front-door/code/afd-10/afd-10.kql.fix +++ /dev/null @@ -1,4 +0,0 @@ -resources -| where type == "microsoft.cdn/cdnwebapplicationfirewallpolicies" -| where properties['policySettings']['enabledState'] == "Enabled" -| project recommendationId = "afd-10", name, id diff --git a/docs/content/services/networking/front-door/code/afd-11/afd-11.kql b/docs/content/services/networking/front-door/code/afd-11/afd-11.kql index 614a7f9ca..a34f88973 100644 --- a/docs/content/services/networking/front-door/code/afd-11/afd-11.kql +++ b/docs/content/services/networking/front-door/code/afd-11/afd-11.kql @@ -1 +1,21 @@ -// under-development +// Azure Resource Graph Query +// AFD-11 - Disable health probes when there is only one origin in an origin group +cdnresources +| where type =~ "microsoft.cdn/profiles/origingroups" +| extend healthprobe=tostring(properties.healthProbeSettings) +| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe +| join ( + cdnresources + | where type =~ "microsoft.cdn/profiles/origingroups/Origins" + | extend origingroupname = tostring(properties.originGroupName) + ) + on origingroupname +| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId +| where origincount == 1 and enabledhealthprobecount != 0 +| project + recommendationId = "afd-11", + name=origingroupname, + id, + todynamic(tags), + param1 = strcat("origincount:", origincount), + param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)