Last active
February 26, 2025 09:25
-
-
Save matsest/a9e59a3e54d5d45253e55a484a26b50f to your computer and use it in GitHub Desktop.
Various Azure Resource Graph queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resources | |
| | where type == "microsoft.network/networksecuritygroups" | |
| | extend securityRules = properties.securityRules | |
| | mv-expand securityRules | |
| | where securityRules.properties.destinationApplicationSecurityGroups != '' or securityRules.properties.sourceApplicationSecurityGroups != '' | |
| | mv-expand srcAsgs = securityRules.properties.sourceApplicationSecurityGroups | |
| | mv-expand dstAsgs = securityRules.properties.destinationApplicationSecurityGroups | |
| | extend srcAsgNames = split(srcAsgs.id, "/")[-1] | |
| | extend dstAsgNames = split(dstAsgs.id, "/")[-1] | |
| | mv-expand subnet = properties.subnets | |
| | extend vnetName = split(subnet.id, "/")[-3] | |
| | extend subnetName = split(subnet.id, "/")[-1] | |
| | project id, nsg_name=name, vnetName, subnetName, subscriptionId, resourceGroup, location, ruleName=securityRules.name, srcAsgNames, dstAsgNames, ruleProperties=securityRules.properties |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resources | |
| | where isnotnull(properties) and properties contains "privateEndpointConnections" | |
| | where array_length(properties.privateEndpointConnections) > 0 | |
| | mv-expand properties.privateEndpointConnections | |
| | extend status = properties_privateEndpointConnections.properties.privateLinkServiceConnectionState.status | |
| | extend description = coalesce(properties_privateEndpointConnections.properties.privateLinkServiceConnectionState.description, "") | |
| | extend privateEndpointResourceId = properties_privateEndpointConnections.properties.privateEndpoint.id | |
| | extend privateEndpointSubscriptionId = tostring(split(privateEndpointResourceId, "/")[2]) | |
| | project id, name, location, type, resourceGroup, subscriptionId, tenantId, privateEndpointResourceId, privateEndpointSubscriptionId, status, description | |
| | where subscriptionId != privateEndpointSubscriptionId | |
| | sort by resourceGroup, ['type'], name |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| networkresourcechanges | |
| | where properties contains "microsoft.network/firewallpolicies/rulecollectiongroups" | |
| | extend parsedProperties = parse_json(properties) | |
| | extend TargetResource = tostring(parsedProperties.targetResourceId), | |
| Timestamp = todatetime(parsedProperties.changeAttributes.timestamp), | |
| Changes = todynamic(parsedProperties.changes), | |
| ChangeType = tostring(parsedProperties.changeType), | |
| PreviousSnapshotId = tostring(parsedProperties.changeAttributes.previousResourceSnapshotId), | |
| NewSnapshotId = tostring(parsedProperties.changeAttributes.newResourceSnapshotId), | |
| CorrelationId = tostring(parsedProperties.changeAttributes.correlationId), | |
| ChangesCount = toint(parsedProperties.changeAttributes.changesCount), | |
| TenantId = tostring(tenantId), | |
| Location = tostring(location), | |
| SubscriptionId = tostring(subscriptionId), | |
| ResourceGroup = tostring(resourceGroup), | |
| FirewallPolicyName = extract('/firewallPolicies/([^/]+)/', 1, tostring(id)) | |
| | mv-expand ChangeKey = bag_keys(Changes) | |
| | extend ChangeDetails = todynamic(Changes[tostring(ChangeKey)]) | |
| | extend RuleCollectionName = extract('properties\\.ruleCollections\\["([^"]+)"\\]', 1, tostring(ChangeKey)) | |
| | where isnotempty(RuleCollectionName) | |
| | summarize | |
| Changes = make_list(pack("ChangeKey", ChangeKey, "PreviousValue", tostring(ChangeDetails.previousValue), "NewValue", tostring(ChangeDetails.newValue))) | |
| by | |
| Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss'), | |
| TenantId, | |
| SubscriptionId, | |
| ResourceGroup, | |
| Location, | |
| TargetResource, | |
| FirewallPolicyName, | |
| RuleCollectionName, | |
| ChangeType, | |
| PreviousSnapshotId, | |
| NewSnapshotId, | |
| CorrelationId, | |
| ChangesCount | |
| | extend RuleCollectionGroupName = tostring(split(TargetResource, '/')[-1]) | |
| | project | |
| Timestamp, | |
| RuleCollectionGroupName, | |
| RuleCollectionName, | |
| ChangeType, | |
| ChangesCount, | |
| Changes | |
| | order by ['Timestamp'] desc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // private endpoint routes | |
| resources | |
| | where type == "microsoft.network/privateendpoints" | |
| | extend nics = properties.networkInterfaces | |
| | mv-expand nics | |
| | extend nic = tostring(nics.id) | |
| | project nic | |
| | join kind=leftouter ( | |
| resources | |
| | where type == 'microsoft.network/networkinterfaces' | |
| ) on $left.nic == $right.id | |
| | extend ipConfigs = properties.ipConfigurations | |
| | mv-expand ipConfigs | |
| | extend ip = ipConfigs.properties.privateIPAddress | |
| | extend cidr = strcat(tostring(ip), '/32') | |
| | project cidr | |
| | sort by tostring(cidr) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Private endpoints without NSG rules enforced | |
| resources | |
| | where type == "microsoft.network/privateendpoints" | |
| | extend props = parse_json(properties) | |
| | extend provisioningState = tostring(props.provisioningState) | |
| | extend subnetId = tostring(props.subnet.id) | |
| | extend owner = tags['Owner'] | |
| | extend environment = tags['Environment'] | |
| | extend technicalOwner = tags['Technical Owner'] | |
| | join kind = leftouter ( | |
| resources | |
| | where type == 'microsoft.network/virtualnetworks' | |
| | extend subnets = parse_json(properties).subnets | |
| | mv-expand subnets | |
| | extend subnetId = tostring(subnets.id) | |
| | extend subnetName = subnets.name | |
| | extend subnetPrivateEndpointNetworkPolicies = subnets.properties.privateEndpointNetworkPolicies | |
| | extend subnetNsgId = subnets.properties.networkSecurityGroup.id | |
| | project subnetId, subnetName, subnetNsgId, subnetPrivateEndpointNetworkPolicies | |
| ) on subnetId | |
| | project owner, technicalOwner, environment, id, name, location, resourceGroup, subscriptionId, provisioningState, subnetId, subnetName, subnetNsgId, subnetPrivateEndpointNetworkPolicies | |
| | order by tostring(environment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment