diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json
index 8ec363dcb..abbea5ae5 100644
--- a/checklists/alz_checklist.en.json
+++ b/checklists/alz_checklist.en.json
@@ -2422,6 +2422,7 @@
             "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
             "id": "G02.07",
             "severity": "Medium",
+            "graph" : "Resources | where type =~ 'microsoft.keyvault/vaults'  | extend properties = parse_json(properties)  | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections  | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0)  | where compliant == 1  | project id, compliant",
             "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
             "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/"
         },