From 4d75db8526a6e59c4e387a9f94390b13c1b4d1ae Mon Sep 17 00:00:00 2001
From: Jody Ford <jodyford@microsoft.com>
Date: Tue, 24 Sep 2024 09:33:45 -0400
Subject: [PATCH 1/2] added graph query to D01.03 DDOS Protection

---
 checklists/alz_checklist.en.json | 1 +
 checklists/waf_checklist.en.json | 1 +
 2 files changed, 2 insertions(+)

diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json
index f980fd7ab..023895e1c 100644
--- a/checklists/alz_checklist.en.json
+++ b/checklists/alz_checklist.en.json
@@ -668,6 +668,7 @@
             "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
             "id": "D01.03",
             "severity": "High",
+            "graph": "Resources  | where type =~ 'microsoft.keyvault/vaults'  | extend properties = parse_json(properties)  | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections  | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0)  | where compliant == 1  | project id, compliant ",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
         },
diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json
index 9d80e333a..c50782231 100644
--- a/checklists/waf_checklist.en.json
+++ b/checklists/waf_checklist.en.json
@@ -4674,6 +4674,7 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "VNet",
             "severity": "High",
+            "graph": "Resources  | where type =~ 'microsoft.keyvault/vaults'  | extend properties = parse_json(properties)  | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections  | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0)  | where compliant == 1  | project id, compliant ",
             "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"

From 5bb5bada3706857866c2ca2c81f105e89f0e7c49 Mon Sep 17 00:00:00 2001
From: Jody Ford <jodyford@microsoft.com>
Date: Tue, 24 Sep 2024 10:36:15 -0400
Subject: [PATCH 2/2] corrected query for ip addresses

---
 checklists/alz_checklist.en.json | 2 +-
 checklists/waf_checklist.en.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/checklists/alz_checklist.en.json b/checklists/alz_checklist.en.json
index 023895e1c..14fa16d8c 100644
--- a/checklists/alz_checklist.en.json
+++ b/checklists/alz_checklist.en.json
@@ -668,7 +668,7 @@
             "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
             "id": "D01.03",
             "severity": "High",
-            "graph": "Resources  | where type =~ 'microsoft.keyvault/vaults'  | extend properties = parse_json(properties)  | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections  | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0)  | where compliant == 1  | project id, compliant ",
+            "graph": "resources | where type =~ 'microsoft.network/publicIPAddresses' | extend properties = parse_json(properties) | project id, name, location, ddosProtectionPlan = properties.ddosSettings.protectionPlan | extend compliant = iff(isnotempty(ddosProtectionPlan), 1, 0) | where compliant == 1  project id, compliant",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
         },
diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json
index c50782231..5fca80cb9 100644
--- a/checklists/waf_checklist.en.json
+++ b/checklists/waf_checklist.en.json
@@ -4674,7 +4674,7 @@
             "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
             "service": "VNet",
             "severity": "High",
-            "graph": "Resources  | where type =~ 'microsoft.keyvault/vaults'  | extend properties = parse_json(properties)  | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections  | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0)  | where compliant == 1  | project id, compliant ",
+            "graph": "resources | where type =~ 'microsoft.network/publicIPAddresses' | extend properties = parse_json(properties) | project id, name, location, ddosProtectionPlan = properties.ddosSettings.protectionPlan | extend compliant = iff(isnotempty(ddosProtectionPlan), 1, 0) | where compliant == 1  project id, compliant",
             "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.",
             "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
             "waf": "Security"