Forum Discussion

SergioT1228's avatar
SergioT1228
Brass Contributor
Dec 13, 2023

Azure Resource Graph Explorer - KQL Key Vaults: Find resources with Public Access set to Allow

I'm working on a query(KQL) that will help me identify which Key Vault and Storage accounts have Network rules set to "Allow public access from all networks"(Key Vaults) or "Enabled from all networks"(Storage accounts).


Current query:
Resources
| where type == 'microsoft.keyvault/vaults'
| extend allowAll = iif(properties.publicNetworkAccess == "Enabled") = "Yes" else "No"
| project type, name, location, resourceGroup, subscriptionId, allowAll

 

I would like a variable set to either YES or NO based off of the current status of the NetworkAccess per resource.

 

Please let me know if any other informaiton is needed.

 

Cheers,

Serge

  • SergioT1228's avatar
    SergioT1228
    Brass Contributor

    Well, I have a solution to my query.  Perhaps not the prettiest but it works. 

     

    resources

    | where type =~ "microsoft.storage/storageaccounts"

    | extend properties = parse_json(properties)

    | extend virtualNetwork = properties.networkAcls.virtualNetworkRules

    | extend publicEnabled = iif(virtualNetwork == "[]", "No", "Yes")

    | extend pep_review = properties.privateEndpointConnections

    | extend pep_status = iif(pep_review == "[]", "No", "Yes")

    | project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, publicEnabled

     

    I know this query is for Storage accounts but both Storage and Key Vaults have both Firewall rules as well as PEP and we need to know for both type of resources.

     

    Please let me know if there is a cleaner way.  It would be great if there was a dedicated KQL board where we could all share/help each other out.

     

    Cheers,

    • SergioT1228's avatar
      SergioT1228
      Brass Contributor

       

      Well, after observing a few anomalies from my query.  I had to do a deep dive on the “Properties” section of the Storage account and found that not all Key:Values were present for each storage account. 

      It makes it hard to get the exact 100% settings but it is closer now that I have switched back to the “properties.networkAcls.defaultAction” section of the properties.  Hopefully this helps. 

       

      resources

      | where type =~ "microsoft.storage/storageaccounts"

      | extend properties = parse_json(properties)

      | extend public_Enabled = iif(properties.networkAcls.defaultAction == "Allow", "Yes", "No")

      | extend pep_review = properties.privateEndpointConnections

      | extend pep_status = iif(pep_review == "[]", "No", "Yes")

      | extend virtualNetwork_review = properties.networkAcls.virtualNetworkRules

      | extend Vnet_status = iif(virtualNetwork_review == "[]", "No", "Yes")

      | project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, public_Enabled, Vnet_status

       

      Cheers,

Resources