Azure · oZakari · Apr 4, 2024 · Mar 8, 2024 · Mar 18, 2024 · Apr 4, 2024
@@ -1 +1,30 @@
-// under-development
+// Azure Resource Graph Query
+// Avoid combining Traffic Manager and Front Door
+resources
+| where type == "microsoft.network/trafficmanagerprofiles"
+| mvexpand(properties.endpoints)
+| extend endpoint=tostring(properties_endpoints.properties.target)
+| project name, trafficmanager=id, matchname=endpoint, tags
+| join (
+    resources
+    | where type =~ "microsoft.cdn/profiles/afdendpoints"
+    | extend matchname= tostring(properties.hostName)
+    | extend splitid=split(id, "/")
+    | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+    | project name, id, matchname, frontdoorid, type
+    | union
+        (cdnresources
+        | where type =~ "Microsoft.Cdn/Profiles/CustomDomains"
+        | extend matchname= tostring(properties.hostName)
+        | extend splitid=split(id, "/")
+        | extend frontdoorid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+        | project name, id, matchname, frontdoorid, type)
+    )
+    on matchname
+| project
+    recommendationId = "afd-1",
+    name=split(trafficmanager, "/")[-1],
+    id=trafficmanager,
+    tags,
+    param1=strcat("hostname:", matchname),
+    param2=strcat("frontdoorid:", frontdoorid)
@@ -1 +1,40 @@
 // under-development
+// Azure Resource Graph Query
+// AFD-10 - Enable the WAF
+
+resources
+| where type =~ "microsoft.cdn/profiles" and sku has "AzureFrontDoor"
+| project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name)
+| join kind= fullouter (
+    cdnresources
+    | where type == "microsoft.cdn/profiles/securitypolicies"
+    | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id'])
+    | extend splitid=split(id, "/")
+    | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), "/"))
+    | project secpolname=name, cdnprofileid, wafpolicyid
+    )
+    on cdnprofileid
+| project name, cdnprofileid, secpolname, wafpolicyid,skuname
+| join kind = fullouter (
+    resources
+    | where type == "microsoft.network/frontdoorwebapplicationfirewallpolicies"
+    | extend
+        managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != "[]", true, false),
+        enabledState = tostring(properties.policySettings.enabledState)
+    | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags)
+    )
+    on wafpolicyid
+| where name != ""
+| summarize
+    associatedsecuritypolicies=countif(secpolname != ""),
+    wafswithmanagedrules=countif(managedrulesenabled == 1)
+    by name, id=cdnprofileid, tags,skuname
+| where associatedsecuritypolicies == 0 or wafswithmanagedrules  == 0
+| project
+    recommendationId = "afd-10",
+    name,
+    id,
+    todynamic(tags),
+    param1 = strcat("associatedsecuritypolicies:", associatedsecuritypolicies),
+    param2 = strcat("wafswithmanagedrules:", wafswithmanagedrules),
+    param3 = strcat("skuname:",skuname)
@@ -1 +1,21 @@
-// under-development
+// Azure Resource Graph Query
+// AFD-11 - Disable health probes when there is only one origin in an origin group
+cdnresources
+| where type =~ "microsoft.cdn/profiles/origingroups"
+| extend healthprobe=tostring(properties.healthProbeSettings)
+| project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe
+| join (
+    cdnresources
+    | where type =~ "microsoft.cdn/profiles/origingroups/Origins"
+    | extend origingroupname = tostring(properties.originGroupName)
+    )
+    on origingroupname
+| summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != "") by origingroupname, id, tostring(tags), resourceGroup, subscriptionId
+| where origincount == 1 and enabledhealthprobecount != 0
+| project
+    recommendationId = "afd-11",
+    name=origingroupname,
+    id,
+    todynamic(tags),
+    param1 = strcat("origincount:", origincount),
+    param2 = strcat("enabledhealthprobecount:", enabledhealthprobecount)