added graph query to D01.03 DDOS Protection '143b16c3-1d7a-4a9b-9470-4489a8042d88'

[jodyford-msft]

Description

Please provide a detailed description of your changes.

Related Issue

Link to any related issues or discussions here. This helps reviewers understand the context and the need for your changes.

Checklist

• I've tested my changes to ensure they are ready for review.
• I've read the CONTRIBUTING.md guide.
• I've updated the documentation (if applicable).
• Resource Graph queries have been included (and tested) for recommendations where ever possible¹.
• Resource Graph queries have NOT been included (please explain below).

Additional Information

Is there any additional context, screenshots, or considerations that might help in the review process? Please include them here.

Reviewer Notes

Is there a specific area you’d like feedback on? Please highlight it here. We're here to help and learn together! 💡

Footnotes

1. Details on how to add Azure Resource Graph queries to recommendations can be found here. ↩

[brsteph]

@jodyford-msft There is no description of the change - the title says that it is creating queries for DDoS Protection, but it looks like it is creating Key Vault queries and added to the DDoS protection recommendations. I think there may be a mix up for this PR.

[jodyford-msft]

corrected. sorry. clipped the wrong query

[brsteph]

@jodyford-msft Doing a quick test of the query, and it looks like it doesn't resolve for me:

I changed the query to:
resources | where type =~ 'microsoft.network/publicIPAddresses' | extend properties = parse_json(properties) | project id, name, location, ddosProtectionPlan = properties.ddosSettings.protectionPlan | extend compliant = iff(isnotempty(ddosProtectionPlan), 1, 0) | where compliant == 1 | project id, compliant

(by adding a | before the last project), and it showed, but it didn't correctly evaluate as I expected. I would expect it to show me non-compliant resources at least.

I took out | where compliant == 1 and it properly showed me the ID and its compliancy status.

So, I think we either need to change that to | where compliant == 0 to show us the non-compliant items, or just remove it to show both compliancy status.

[erjosito]

• I believe that there is a | missing after compliant == 1 right?
• But more importantly, could you please remove the where compliant == 1 altogether? Otherwise the non-compliant resources don't show up.

[erjosito]

• I believe that there is a | missing after compliant == 1 right?
• But more importantly, could you please remove the where compliant == 1 altogether? Otherwise the non-compliant resources don't show up.