Forum Discussion
Azure Resource Graph Explorer - KQL Key Vaults: Find resources with Public Access set to Allow
I'm working on a query(KQL) that will help me identify which Key Vault and Storage accounts have Network rules set to "Allow public access from all networks"(Key Vaults) or "Enabled from all networks...
Well, I have a solution to my query. Perhaps not the prettiest but it works.
resources
| where type =~ "microsoft.storage/storageaccounts"
| extend properties = parse_json(properties)
| extend virtualNetwork = properties.networkAcls.virtualNetworkRules
| extend publicEnabled = iif(virtualNetwork == "[]", "No", "Yes")
| extend pep_review = properties.privateEndpointConnections
| extend pep_status = iif(pep_review == "[]", "No", "Yes")
| project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, publicEnabled
I know this query is for Storage accounts but both Storage and Key Vaults have both Firewall rules as well as PEP and we need to know for both type of resources.
Please let me know if there is a cleaner way. It would be great if there was a dedicated KQL board where we could all share/help each other out.
Cheers,
Well, after observing a few anomalies from my query. I had to do a deep dive on the “Properties” section of the Storage account and found that not all Key:Values were present for each storage account.
It makes it hard to get the exact 100% settings but it is closer now that I have switched back to the “properties.networkAcls.defaultAction” section of the properties. Hopefully this helps.
resources
| where type =~ "microsoft.storage/storageaccounts"
| extend properties = parse_json(properties)
| extend public_Enabled = iif(properties.networkAcls.defaultAction == "Allow", "Yes", "No")
| extend pep_review = properties.privateEndpointConnections
| extend pep_status = iif(pep_review == "[]", "No", "Yes")
| extend virtualNetwork_review = properties.networkAcls.virtualNetworkRules
| extend Vnet_status = iif(virtualNetwork_review == "[]", "No", "Yes")
| project name, properties.creationTime, subscriptionId, location, resourceGroup, properties.minimumTlsVersion, pep_status, public_Enabled, Vnet_status
Cheers,
