Last active
August 27, 2021 15:37
-
-
Save omarmciver/2c77701ecdda8fe61a18e6bf5588267c to your computer and use it in GitHub Desktop.
CosmosDB Resources with Public endpoints #KQL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resources | |
| | extend serviceEndpointCount= array_length(properties.virtualNetworkRules) | |
| | extend vnetFilterOn=tobool(properties.isVirtualNetworkFilterEnabled) | |
| | extend ipRangeFilter=tostring(properties.ipRangeFilter) | |
| | project id, name, serviceEndpointCount,vnetFilterOn, ipRangeFilter, resourceGroup, subscriptionId, type | |
| | where type == "microsoft.documentdb/databaseaccounts" and (vnetFilterOn == false or serviceEndpointCount == 0 or ipRangeFilter <> "") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I updated this to also show resources where there is an IPRangeFilter in place. If the filter contains 0.0.0.0 this is because "Accept connections from within public Azure datacenters" is enabled. This means there is still a route to your DBs if an attacker was to use a VM (or services) hosted in any Microsoft datacenter.
Also, if it shows some random public IPs (like 104.x and 195.x and others?) this might correlate to the Allow Access from Azure Portal. I'm not sure yet if Azure Portal access can allow cross customer access (i.e. can you use the Cloud Shell in the Portal to access the DB endpoints).
Big thanks to Mr Pasco for help with this!