From dccd081d18630dee47b72948310389ee76ec51fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 12:20:44 -0500 Subject: [PATCH 1/3] build: Bump actions/checkout from 2 to 4 (#428) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-recommendation-object.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml index 87f9c8ec..b7544871 100644 --- a/.github/workflows/build-recommendation-object.yml +++ b/.github/workflows/build-recommendation-object.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: ref: main diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 352b39ff..8441f50a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: persist-credentials: false From 89371b57641f15b6eb143572ca6a8b00f2dab9ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 12:40:17 -0500 Subject: [PATCH 2/3] build: Bump github/codeql-action from 3.26.7 to 3.26.9 (#442) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8441f50a..a24f74d0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: sarif_file: results.sarif From 9cd5e4f6cf14fdcbf6a9b7ac89c31bde8dc94252 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Mon, 30 Sep 2024 14:04:15 -0400 Subject: [PATCH 3/3] feat: improves queries that check zone redundancy by adding a Where clause with the regions with AZ (#440) Co-authored-by: Rodrigo Reis Santos (AZURE) Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> --- .../740f2c1c-8857-4648-80eb-47d2c56d5a50.kql | 1 + .../baf3bfc0-32a2-4c0c-926d-c9bf0b49808e.kql | 1 - .../f4201965-a88d-449d-b3b4-021394719eb2.kql | 1 + .../5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8.kql | 1 + azure-resources/CognitiveServices/_index.md | 2 +- .../CognitiveServices/accounts/_index.md | 2 +- .../accounts/recommendations.yaml | 17 +++++++++++++++++ .../488dcc8b-f2e3-40ce-bf95-73deb2db095f.kql | 1 + .../1422c567-782c-7148-ac7c-5fc14cf45adc.kql | 1 + .../2bd0be95-a825-6f47-a8c6-3db1fb5eb387.kql | 2 +- .../fa0cf4f5-0b21-47b7-89a9-ee936f193ce1.kql | 1 + .../63491f70-22e4-3b4a-8b0c-845450e46fac.kql | 1 + .../4f63619f-5001-439c-bacb-8de891287727.kql | 1 + .../88856605-53d8-4bbd-a75b-4a7b14939d32.kql | 1 + .../ca87914f-aac4-4783-ab67-82a6f936f194.kql | 1 + .../47d100a5-7f85-5742-967a-67eb5081240a.kql | 1 + .../e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql | 9 +++++---- .../c9c00f2a-3888-714b-a72b-b4c9e8fcffb2.kql | 1 + .../c72b7fee-1fa0-5b4b-98e5-54bcae95bb74.kql | 1 + .../621dbc78-3745-4d32-8eac-9e65b27b7512.kql | 3 +++ .../c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql | 1 + .../4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql | 2 ++ .../5b1933a6-90e4-f642-a01f-e58594e5aab2.kql | 1 + .../bbe668b7-eb5c-c746-8b82-70afdedf0cae.kql | 1 + .../6a8b3db9-5773-413a-a127-4f7032f34bbd.kql | 1 + .../c0085c32-84c0-c247-bfa9-e70977cbf108.kql | 1 + .../e6c7e1cc-2f47-264d-aa50-1da421314472.kql | 1 + .../88cb90c2-3b99-814b-9820-821a63f600dd.kql | 1 + 28 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 azure-resources/CognitiveServices/accounts/recommendations.yaml diff --git a/azure-resources/ApiManagement/service/kql/740f2c1c-8857-4648-80eb-47d2c56d5a50.kql b/azure-resources/ApiManagement/service/kql/740f2c1c-8857-4648-80eb-47d2c56d5a50.kql index 3aeb8958..b7406e9b 100644 --- a/azure-resources/ApiManagement/service/kql/740f2c1c-8857-4648-80eb-47d2c56d5a50.kql +++ b/azure-resources/ApiManagement/service/kql/740f2c1c-8857-4648-80eb-47d2c56d5a50.kql @@ -2,6 +2,7 @@ // Find all Premium API Management instances that aren't zone redundant resources | where type =~ 'Microsoft.ApiManagement/service' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | extend skuName = sku.name | where tolower(skuName) == tolower('premium') | where isnull(zones) or array_length(zones) < 2 diff --git a/azure-resources/ApiManagement/service/kql/baf3bfc0-32a2-4c0c-926d-c9bf0b49808e.kql b/azure-resources/ApiManagement/service/kql/baf3bfc0-32a2-4c0c-926d-c9bf0b49808e.kql index e1a94fb5..1ffea581 100644 --- a/azure-resources/ApiManagement/service/kql/baf3bfc0-32a2-4c0c-926d-c9bf0b49808e.kql +++ b/azure-resources/ApiManagement/service/kql/baf3bfc0-32a2-4c0c-926d-c9bf0b49808e.kql @@ -5,4 +5,3 @@ resources | extend skuName = sku.name | where tolower(skuName) != tolower('premium') | project recommendationId = "baf3bfc0-32a2-4c0c-926d-c9bf0b49808e", name, id, tags, param1=strcat("SKU: ", skuName) - diff --git a/azure-resources/App/managedEnvironments/kql/f4201965-a88d-449d-b3b4-021394719eb2.kql b/azure-resources/App/managedEnvironments/kql/f4201965-a88d-449d-b3b4-021394719eb2.kql index 5a2ab97b..dd78cef6 100644 --- a/azure-resources/App/managedEnvironments/kql/f4201965-a88d-449d-b3b4-021394719eb2.kql +++ b/azure-resources/App/managedEnvironments/kql/f4201965-a88d-449d-b3b4-021394719eb2.kql @@ -2,6 +2,7 @@ // The query filters the qualified Container app environments that do not have Zone Redundancy enabled. resources | where type =~ "microsoft.app/managedenvironments" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where tobool(properties.zoneRedundant) == false | project recommendationId = "f4201965-a88d-449d-b3b4-021394719eb2", name, id, tags, param1 = "AvailabilityZones: Single Zone" | order by id asc diff --git a/azure-resources/Cache/Redis/kql/5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8.kql b/azure-resources/Cache/Redis/kql/5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8.kql index b96980d0..7d1ccc54 100644 --- a/azure-resources/Cache/Redis/kql/5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8.kql +++ b/azure-resources/Cache/Redis/kql/5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8.kql @@ -2,6 +2,7 @@ // Find Cache for Redis instances with one or no Zones selected resources | where type =~ "microsoft.cache/redis" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where array_length(zones) <= 1 or isnull(zones) | project recommendationId = "5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8", name, id, tags, param1 = "AvailabilityZones: Single Zone" | order by id asc diff --git a/azure-resources/CognitiveServices/_index.md b/azure-resources/CognitiveServices/_index.md index ef5efc25..f6d0f984 100644 --- a/azure-resources/CognitiveServices/_index.md +++ b/azure-resources/CognitiveServices/_index.md @@ -1,5 +1,5 @@ --- title: CognitiveServices geekdocCollapseSection: true -geekdocHidden: true +geekdocHidden: false --- diff --git a/azure-resources/CognitiveServices/accounts/_index.md b/azure-resources/CognitiveServices/accounts/_index.md index 02495946..0647ff9d 100644 --- a/azure-resources/CognitiveServices/accounts/_index.md +++ b/azure-resources/CognitiveServices/accounts/_index.md @@ -1,7 +1,7 @@ --- title: accounts geekdocCollapseSection: true -geekdocHidden: true +geekdocHidden: false --- {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}} diff --git a/azure-resources/CognitiveServices/accounts/recommendations.yaml b/azure-resources/CognitiveServices/accounts/recommendations.yaml new file mode 100644 index 00000000..aa77584b --- /dev/null +++ b/azure-resources/CognitiveServices/accounts/recommendations.yaml @@ -0,0 +1,17 @@ +- description: Enable diagnostic logging for Azure AI services and send the data to Log Analytics + aprlGuid: d6d9e18a-9ad2-491e-878d-86d621785453 + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: Low + recommendationResourceType: Microsoft.CognitiveServices/Accounts + recommendationMetadataState: Active + longDescription: | + All Logs and Metrics should be configured. These logs provide rich, frequent data about the operation of a resource that are used for issue identification and debugging. + potentialBenefits: Enhanced monitoring and troubleshooting capabilities + pgVerified: false + publishedToLearn: false + automationAvailable: false + tags: null + learnMoreLink: + - name: Enable diagnostic logging for Azure AI services + url: "https://learn.microsoft.com/en-us/azure/ai-services/diagnostic-logging" diff --git a/azure-resources/Compute/galleries/kql/488dcc8b-f2e3-40ce-bf95-73deb2db095f.kql b/azure-resources/Compute/galleries/kql/488dcc8b-f2e3-40ce-bf95-73deb2db095f.kql index 3135d7bd..19e6a93e 100644 --- a/azure-resources/Compute/galleries/kql/488dcc8b-f2e3-40ce-bf95-73deb2db095f.kql +++ b/azure-resources/Compute/galleries/kql/488dcc8b-f2e3-40ce-bf95-73deb2db095f.kql @@ -2,6 +2,7 @@ // Query to list all image versions and its associated image and gallery name whose Storage account type is not using ZRS resources | where type =~ "microsoft.compute/galleries/images/versions" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | extend GalleryName = tostring(split(tostring(id), "/")[8]), ImageName = tostring(split(tostring(id), "/")[10]) | extend StorageAccountType = tostring(properties.publishingProfile.storageAccountType) | where StorageAccountType !has "ZRS" diff --git a/azure-resources/Compute/virtualMachineScaleSets/kql/1422c567-782c-7148-ac7c-5fc14cf45adc.kql b/azure-resources/Compute/virtualMachineScaleSets/kql/1422c567-782c-7148-ac7c-5fc14cf45adc.kql index e01dfa0a..32b1dcf0 100644 --- a/azure-resources/Compute/virtualMachineScaleSets/kql/1422c567-782c-7148-ac7c-5fc14cf45adc.kql +++ b/azure-resources/Compute/virtualMachineScaleSets/kql/1422c567-782c-7148-ac7c-5fc14cf45adc.kql @@ -2,6 +2,7 @@ // Find VMSS instances with one or no Zones selected resources | where type == "microsoft.compute/virtualmachinescalesets" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where array_length(zones) <= 1 or isnull(zones) | project recommendationId = "1422c567-782c-7148-ac7c-5fc14cf45adc", name, id, tags, param1 = "AvailabilityZones: Single Zone" | order by id asc diff --git a/azure-resources/Compute/virtualMachines/kql/2bd0be95-a825-6f47-a8c6-3db1fb5eb387.kql b/azure-resources/Compute/virtualMachines/kql/2bd0be95-a825-6f47-a8c6-3db1fb5eb387.kql index b698bdb2..5cd23cb1 100644 --- a/azure-resources/Compute/virtualMachines/kql/2bd0be95-a825-6f47-a8c6-3db1fb5eb387.kql +++ b/azure-resources/Compute/virtualMachines/kql/2bd0be95-a825-6f47-a8c6-3db1fb5eb387.kql @@ -2,6 +2,6 @@ // Find all VMs that are not assigned to a Zone Resources | where type =~ 'Microsoft.Compute/virtualMachines' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where isnull(zones) | project recommendationId="2bd0be95-a825-6f47-a8c6-3db1fb5eb387", name, id, tags, param1="No Zone" - diff --git a/azure-resources/Compute/virtualMachines/kql/fa0cf4f5-0b21-47b7-89a9-ee936f193ce1.kql b/azure-resources/Compute/virtualMachines/kql/fa0cf4f5-0b21-47b7-89a9-ee936f193ce1.kql index fb71c60b..3f09586a 100644 --- a/azure-resources/Compute/virtualMachines/kql/fa0cf4f5-0b21-47b7-89a9-ee936f193ce1.kql +++ b/azure-resources/Compute/virtualMachines/kql/fa0cf4f5-0b21-47b7-89a9-ee936f193ce1.kql @@ -2,6 +2,7 @@ // Find eligible Disks that are not zonal nor zone redundant resources | where type == 'microsoft.compute/disks' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where sku has "Premium_LRS" or sku has "StandardSSD_LRS" | where sku.name has_cs 'ZRS' or array_length(zones) > 0 | project recommendationId="fa0cf4f5-0b21-47b7-89a9-ee936f193ce1", name, id, tags, param1 = sku, param2 = sku.name diff --git a/azure-resources/ContainerRegistry/registries/kql/63491f70-22e4-3b4a-8b0c-845450e46fac.kql b/azure-resources/ContainerRegistry/registries/kql/63491f70-22e4-3b4a-8b0c-845450e46fac.kql index 85eed1a8..3277542e 100644 --- a/azure-resources/ContainerRegistry/registries/kql/63491f70-22e4-3b4a-8b0c-845450e46fac.kql +++ b/azure-resources/ContainerRegistry/registries/kql/63491f70-22e4-3b4a-8b0c-845450e46fac.kql @@ -2,6 +2,7 @@ // Find all Container Registries that do not have zone redundancy enabled resources | where type =~ "microsoft.containerregistry/registries" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.zoneRedundancy != "Enabled" | project recommendationId = "63491f70-22e4-3b4a-8b0c-845450e46fac", name, id, tags, param1=strcat("zoneRedundancy: ", tostring(properties.zoneRedundancy)) | order by id asc diff --git a/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql b/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql index e2ddcba4..112aaa65 100644 --- a/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql +++ b/azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql @@ -2,6 +2,7 @@ // Returns AKS clusters that do not have any availability zones enabled or only use a single zone resources | where type =~ "Microsoft.ContainerService/managedClusters" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | project id, name, tags, location, pools = properties.agentPoolProfiles | mv-expand pool = pools | extend diff --git a/azure-resources/DBforMySQL/flexibleServers/kql/88856605-53d8-4bbd-a75b-4a7b14939d32.kql b/azure-resources/DBforMySQL/flexibleServers/kql/88856605-53d8-4bbd-a75b-4a7b14939d32.kql index 00bb8bef..cc88e756 100644 --- a/azure-resources/DBforMySQL/flexibleServers/kql/88856605-53d8-4bbd-a75b-4a7b14939d32.kql +++ b/azure-resources/DBforMySQL/flexibleServers/kql/88856605-53d8-4bbd-a75b-4a7b14939d32.kql @@ -2,5 +2,6 @@ // Find Database for MySQL instances that are not zone redundant resources | where type == "microsoft.dbformysql/flexibleservers" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.highAvailability.mode != "ZoneRedundant" | project recommendationId = "88856605-53d8-4bbd-a75b-4a7b14939d32", name, id, tags, param1 = "ZoneRedundant: False" diff --git a/azure-resources/DBforPostgreSQL/flexibleServers/kql/ca87914f-aac4-4783-ab67-82a6f936f194.kql b/azure-resources/DBforPostgreSQL/flexibleServers/kql/ca87914f-aac4-4783-ab67-82a6f936f194.kql index c7b1011b..4e051c62 100644 --- a/azure-resources/DBforPostgreSQL/flexibleServers/kql/ca87914f-aac4-4783-ab67-82a6f936f194.kql +++ b/azure-resources/DBforPostgreSQL/flexibleServers/kql/ca87914f-aac4-4783-ab67-82a6f936f194.kql @@ -2,5 +2,6 @@ // Find Database for PostgreSQL instances that are not zone redundant resources | where type == "microsoft.dbforpostgresql/flexibleservers" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.highAvailability.mode != "ZoneRedundant" | project recommendationId = "ca87914f-aac4-4783-ab67-82a6f936f194", name, id, tags, param1 = "ZoneRedundant: False" diff --git a/azure-resources/NetApp/netAppAccounts/kql/47d100a5-7f85-5742-967a-67eb5081240a.kql b/azure-resources/NetApp/netAppAccounts/kql/47d100a5-7f85-5742-967a-67eb5081240a.kql index c7bdfe6f..81b6fbfc 100644 --- a/azure-resources/NetApp/netAppAccounts/kql/47d100a5-7f85-5742-967a-67eb5081240a.kql +++ b/azure-resources/NetApp/netAppAccounts/kql/47d100a5-7f85-5742-967a-67eb5081240a.kql @@ -2,6 +2,7 @@ // This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined. Resources | where type =~ "Microsoft.NetApp/netAppAccounts/capacityPools/volumes" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where array_length(zones) == 0 or isnull(zones) | project recommendationId = "47d100a5-7f85-5742-967a-67eb5081240a", name, id, tags diff --git a/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql b/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql index 05970db6..ec06337a 100644 --- a/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql +++ b/azure-resources/NetApp/netAppAccounts/kql/e3d742e1-dacd-9b48-b6b1-510ec9f87c96.kql @@ -1,10 +1,11 @@ // Azure Resource Graph Query // This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication. resources -| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" -| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion -| extend volumeType = properties.volumeType -| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR")) +| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") +| extend remoteVolumeRegion = properties.dataProtection.replication.remoteVolumeRegion +| extend volumeType = properties.volumeType +| extend replicationType = iff((remoteVolumeRegion == location), "CZR", iff((remoteVolumeRegion == ""),"n/a","CRR")) | where replicationType != "CZR" and volumeType != "DataProtection" | project recommendationId = "e3d742e1-dacd-9b48-b6b1-510ec9f87c96", name, id, tags diff --git a/azure-resources/Network/applicationGateways/kql/c9c00f2a-3888-714b-a72b-b4c9e8fcffb2.kql b/azure-resources/Network/applicationGateways/kql/c9c00f2a-3888-714b-a72b-b4c9e8fcffb2.kql index c4c4874c..3e0f5c69 100644 --- a/azure-resources/Network/applicationGateways/kql/c9c00f2a-3888-714b-a72b-b4c9e8fcffb2.kql +++ b/azure-resources/Network/applicationGateways/kql/c9c00f2a-3888-714b-a72b-b4c9e8fcffb2.kql @@ -2,6 +2,7 @@ // list Application Gateways that are not configured to use at least 2 Availability Zones resources | where type =~ "microsoft.network/applicationGateways" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where isnull(zones) or array_length(zones) < 2 | extend zoneValue = iff((isnull(zones)), "null", zones) | project recommendationId = "c9c00f2a-3888-714b-a72b-b4c9e8fcffb2", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Zones value: ", zoneValue ) diff --git a/azure-resources/Network/azureFirewalls/kql/c72b7fee-1fa0-5b4b-98e5-54bcae95bb74.kql b/azure-resources/Network/azureFirewalls/kql/c72b7fee-1fa0-5b4b-98e5-54bcae95bb74.kql index 6cd1d120..6585d0d2 100644 --- a/azure-resources/Network/azureFirewalls/kql/c72b7fee-1fa0-5b4b-98e5-54bcae95bb74.kql +++ b/azure-resources/Network/azureFirewalls/kql/c72b7fee-1fa0-5b4b-98e5-54bcae95bb74.kql @@ -2,6 +2,7 @@ // List all Azure Firewalls that are not configured with multiple availability zones or deployed without a zone resources | where type == 'microsoft.network/azurefirewalls' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project recommendationId = "c72b7fee-1fa0-5b4b-98e5-54bcae95bb74", name, id, tags, param1="multipleZones:false" diff --git a/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql b/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql index b2959c5e..58369241 100644 --- a/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql +++ b/azure-resources/Network/loadBalancers/kql/621dbc78-3745-4d32-8eac-9e65b27b7512.kql @@ -2,6 +2,7 @@ // Find all LoadBalancers with with regional or zonal public IP Addresses resources | where type == "microsoft.network/loadbalancers" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend @@ -15,6 +16,7 @@ resources | project name, feConfigName, id | union (resources | where type == "microsoft.network/loadbalancers" + | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend @@ -25,6 +27,7 @@ resources | join kind=innerunique ( resources | where type == "microsoft.network/publicipaddresses" + | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), diff --git a/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql b/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql index ceaf305e..9ab9dcfb 100644 --- a/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql +++ b/azure-resources/Network/publicIPAddresses/kql/c63b81fb-7afc-894c-a840-91bb8a8dcfaf.kql @@ -2,6 +2,7 @@ // List public IP addresses that are not Zone-Redundant Resources | where type =~ "Microsoft.Network/publicIPAddresses" and sku.tier =~ "Regional" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), "Non-zonal", array_length(zones) <= 1, strcat("Zonal (", strcat_array(zones, ","), ")"), zones) | project recommendationId = "c63b81fb-7afc-894c-a840-91bb8a8dcfaf", name, id, tags, param1 = strcat("sku: ", sku.name), param2 = strcat("availabilityZone: ", az) diff --git a/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql b/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql index 6fb37cc3..47f8c46d 100644 --- a/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql +++ b/azure-resources/Network/virtualNetworkGateways/kql/4bae5a28-5cf4-40d9-bcf1-623d28f6d917.kql @@ -2,12 +2,14 @@ // Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs resources | where type =~ "Microsoft.Network/virtualNetworkGateways" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.gatewayType == "Vpn" | where properties.sku.tier contains 'AZ' | mv-expand ipconfig = properties.ipConfigurations | extend pipId = tostring(ipconfig.properties.publicIPAddress.id) | join kind=inner ( resources + | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where type == "microsoft.network/publicipaddresses" | where isnull(zones) or array_length(zones) < 3 ) on $left.pipId == $right.id diff --git a/azure-resources/Network/virtualNetworkGateways/kql/5b1933a6-90e4-f642-a01f-e58594e5aab2.kql b/azure-resources/Network/virtualNetworkGateways/kql/5b1933a6-90e4-f642-a01f-e58594e5aab2.kql index 625831e1..2c4335ad 100644 --- a/azure-resources/Network/virtualNetworkGateways/kql/5b1933a6-90e4-f642-a01f-e58594e5aab2.kql +++ b/azure-resources/Network/virtualNetworkGateways/kql/5b1933a6-90e4-f642-a01f-e58594e5aab2.kql @@ -2,6 +2,7 @@ // For all VNGs of type Vpn, show any that do not have AZ in the SKU tier resources | where type =~ "Microsoft.Network/virtualNetworkGateways" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.gatewayType == "Vpn" | where properties.sku.tier !contains 'AZ' | project recommendationId = "5b1933a6-90e4-f642-a01f-e58594e5aab2", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location diff --git a/azure-resources/Network/virtualNetworkGateways/kql/bbe668b7-eb5c-c746-8b82-70afdedf0cae.kql b/azure-resources/Network/virtualNetworkGateways/kql/bbe668b7-eb5c-c746-8b82-70afdedf0cae.kql index 1440605f..f5aaa295 100644 --- a/azure-resources/Network/virtualNetworkGateways/kql/bbe668b7-eb5c-c746-8b82-70afdedf0cae.kql +++ b/azure-resources/Network/virtualNetworkGateways/kql/bbe668b7-eb5c-c746-8b82-70afdedf0cae.kql @@ -2,6 +2,7 @@ // For all VNGs of type ExpressRoute, show any that do not have AZ in the SKU tier resources | where type =~ "Microsoft.Network/virtualNetworkGateways" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where properties.gatewayType == "ExpressRoute" | where properties.sku.tier !contains 'AZ' | project recommendationId = "bbe668b7-eb5c-c746-8b82-70afdedf0cae", name, id, tags, param1= strcat("sku-tier: " , properties.sku.tier), param2=location diff --git a/azure-resources/SignalRService/signalR/kql/6a8b3db9-5773-413a-a127-4f7032f34bbd.kql b/azure-resources/SignalRService/signalR/kql/6a8b3db9-5773-413a-a127-4f7032f34bbd.kql index 248ca895..eb7c7aa5 100644 --- a/azure-resources/SignalRService/signalR/kql/6a8b3db9-5773-413a-a127-4f7032f34bbd.kql +++ b/azure-resources/SignalRService/signalR/kql/6a8b3db9-5773-413a-a127-4f7032f34bbd.kql @@ -2,6 +2,7 @@ // Find SignalR instances that are not configured with the Premium tier resources | where type == "microsoft.signalrservice/signalr" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where sku.tier != "Premium" | project recommendationId = "6a8b3db9-5773-413a-a127-4f7032f34bbd", name, id, tags, param1 = "AvailabilityZones: Single Zone" | order by id asc diff --git a/azure-resources/Sql/servers/kql/c0085c32-84c0-c247-bfa9-e70977cbf108.kql b/azure-resources/Sql/servers/kql/c0085c32-84c0-c247-bfa9-e70977cbf108.kql index 19e256b5..847997ec 100644 --- a/azure-resources/Sql/servers/kql/c0085c32-84c0-c247-bfa9-e70977cbf108.kql +++ b/azure-resources/Sql/servers/kql/c0085c32-84c0-c247-bfa9-e70977cbf108.kql @@ -2,6 +2,7 @@ // Finds non-zone redundant SQL databases and lists them Resources | where type =~ 'microsoft.sql/servers/databases' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where tolower(tostring(properties.zoneRedundant))=~'false' |project recommendationId = "c0085c32-84c0-c247-bfa9-e70977cbf108", name, id, tags diff --git a/azure-resources/Storage/storageAccounts/kql/e6c7e1cc-2f47-264d-aa50-1da421314472.kql b/azure-resources/Storage/storageAccounts/kql/e6c7e1cc-2f47-264d-aa50-1da421314472.kql index 7d19303b..3010bdc6 100644 --- a/azure-resources/Storage/storageAccounts/kql/e6c7e1cc-2f47-264d-aa50-1da421314472.kql +++ b/azure-resources/Storage/storageAccounts/kql/e6c7e1cc-2f47-264d-aa50-1da421314472.kql @@ -2,6 +2,7 @@ // This query will return all storage accounts that are not using Zone or Region replication Resources | where type =~ "Microsoft.Storage/storageAccounts" +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | where sku.name in~ ("Standard_LRS", "Premium_LRS") | project recommendationId = "e6c7e1cc-2f47-264d-aa50-1da421314472", name, id, tags, param1 = strcat("sku: ", sku.name) diff --git a/azure-resources/Web/serverFarms/kql/88cb90c2-3b99-814b-9820-821a63f600dd.kql b/azure-resources/Web/serverFarms/kql/88cb90c2-3b99-814b-9820-821a63f600dd.kql index 0e55dd64..92a63e2c 100644 --- a/azure-resources/Web/serverFarms/kql/88cb90c2-3b99-814b-9820-821a63f600dd.kql +++ b/azure-resources/Web/serverFarms/kql/88cb90c2-3b99-814b-9820-821a63f600dd.kql @@ -4,6 +4,7 @@ resources | where type =~ 'microsoft.web/serverfarms' +| where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3") | extend zoneRedundant = tobool(properties.zoneRedundant) | extend sku_tier = tostring(sku.tier) | where (tolower(sku_tier) contains "isolated" or tolower(sku_tier) contains "premium") and zoneRedundant == false