Forum Discussion
SergioT1228
Dec 13, 2023Brass Contributor
Azure Resource Graph Explorer - KQL Key Vaults: Find resources with Public Access set to Allow
I'm working on a query(KQL) that will help me identify which Key Vault and Storage accounts have Network rules set to "Allow public access from all networks"(Key Vaults) or "Enabled from all networks"(Storage accounts).
Current query:
Resources
| where type == 'microsoft.keyvault/vaults'
| extend allowAll = iif(properties.publicNetworkAccess == "Enabled") = "Yes" else "No"
| project type, name, location, resourceGroup, subscriptionId, allowAll
I would like a variable set to either YES or NO based off of the current status of the NetworkAccess per resource.
Please let me know if any other informaiton is needed.
Cheers,
Serge
- SergioT1228Brass Contributor
Well, I have a solution to my query. Perhaps not the prettiest but it works.
resources
| where type =~ "microsoft.storage/storageaccounts"
| extend properties = parse_json(properties)
| extend virtualNetwork = properties.networkAcls.virtualNetworkRules
| extend publicEnabled = iif(virtualNetwork == "[]", "No", "Yes")
| extend pep_review = properties.privateEndpointConnections
| extend pep_status = iif(pep_review == "[]", "No", "Yes")
| project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, publicEnabled
I know this query is for Storage accounts but both Storage and Key Vaults have both Firewall rules as well as PEP and we need to know for both type of resources.
Please let me know if there is a cleaner way. It would be great if there was a dedicated KQL board where we could all share/help each other out.
Cheers,
- SergioT1228Brass Contributor
Well, after observing a few anomalies from my query. I had to do a deep dive on the “Properties” section of the Storage account and found that not all Key:Values were present for each storage account.
It makes it hard to get the exact 100% settings but it is closer now that I have switched back to the “properties.networkAcls.defaultAction” section of the properties. Hopefully this helps.
resources
| where type =~ "microsoft.storage/storageaccounts"
| extend properties = parse_json(properties)
| extend public_Enabled = iif(properties.networkAcls.defaultAction == "Allow", "Yes", "No")
| extend pep_review = properties.privateEndpointConnections
| extend pep_status = iif(pep_review == "[]", "No", "Yes")
| extend virtualNetwork_review = properties.networkAcls.virtualNetworkRules
| extend Vnet_status = iif(virtualNetwork_review == "[]", "No", "Yes")
| project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, public_Enabled, Vnet_status
Cheers,