Skip to content

Instantly share code, notes, and snippets.

View s4parke's full-sized avatar

Steve J. s4parke

10 followers · 29 following
  • Central Florida
View GitHub Profile
@s4parke
s4parke / allResources.txt
Last active February 28, 2024 02:20 — forked from MauricioZa/allResources.txt
Graph query to retrieve ALL resources (including hidden)
resources|where (resourceGroup =~ ('rg-INSERT-YOUR-RG-NAME-HERE'))|extend typeDisplayName=case(
type =~ 'microsoft.insights/components','Application Insights',
type =~ 'microsoft.insights/privatelinkscopes','Azure Monitor Private Link Scope',
type =~ 'microsoft.insights/webtests','Availability test',
type =~ 'microsoft.insights/workbooks','Azure Workbook',
type =~ 'microsoft.insights/workbooktemplates','Azure Workbook Template',
type =~ 'microsoft.appplatform/spring','Azure Spring Cloud',
type =~ 'microsoft.appplatform/tanzu','Azure Spring Cloud',
type =~ 'microsoft.cache/redisenterprise','Redis Enterprise',
type =~ 'microsoft.cache/redisenterprise/databases','Cache',
@s4parke
s4parke / ModifySQLServerAuditingActionsAndGroups.json
Last active November 3, 2023 12:43
Azure policy to configure a particular set of security audit actions and groups for an Azure SQL Server which may or may not include all of the default action groups. It includes the following conditions: (a) resource tag does not exist, (b) SQL Server Auditing is enabled, (c) Azure Monitor is the target, (d) default Audit action group exists. N…
{
"name": "863c7086-0e44-b000-1ced-c0ff33d00d11",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Modify SQL Server Auditing Groups",
"description": "Configures a specific set of Audit actions and groups for Azure SQL Server",
"metadata": {
"version": "1.0.0",
"category": "SQL Server",
}
@s4parke
s4parke / kql_double_backflip_parse_json.csl
Last active July 18, 2023 16:25
KQL double flip JSON conversion
// Billable ingested GB for an AKS cluster resource
// with breakdown by Namespace, 10:1 speed sampling
let _ratio = 0.1;
AzureDiagnostics
| where Resource == "ZZ"
| where rand() < (_ratio)
| extend logs = parse_json(tostring(AdditionalFields.log))
| extend Namespace = coalesce(tostring(parse_json(logs.responseObject.webhooks[0].clientConfig.service.namespace)), "none")
| summarize BillableDataGB=toint(sum(_BilledSize)/ 1000000)/(_ratio) by Namespace
@s4parke
s4parke / Install-Yor.ps1
Last active June 12, 2023 17:40
POV: You want to install Bridgecrewio/Yor for current Win10 User and update PATH the way your grandad did it.
# Get the latest version from https://github.com/bridgecrewio/yor/releases/
$Yor = @{
Uri = "https://github.com/bridgecrewio/yor/releases/download/0.1.180/yor_0.1.180_windows_amd64.zip"
OutFile = "$env:USERPROFILE\Downloads\yor.zip"
}
Invoke-WebRequest $Yor.Uri -OutFile $Yor.OutFile
# Extract Yor.exe to your Local AppData Folder using 7zip
$ProgramDir = "$env:USERPROFILE\AppData\Local\Programs\Yor"
7z e -y $Yor.OutFile -o"$ProgramDir"
@s4parke
s4parke / az-policy-scan.sh
Last active December 7, 2022 16:07
Azure CLI script to trigger Policy scans at management group level including all subscriptions in all subgroups
#!/env/bin/bash
# Azure CLI script to trigger Policy scans at management group level including all subscriptions in all subgroups.
# Usage
# ./az-policy-scan-mgroup.sh [mgroup]
# Parameters
# [mgroup] - Optional child management group. Defaults to mydefaultmgroup.
@s4parke
s4parke / get-diags-for-subscriptions.sh
Last active November 21, 2022 23:57
#!/usr/bin/env bash
az account list | jq -r '.[].id' \
| while read sub; do
az account -s $sub; \
az monitor diagnostic-settings subscription list \
| jq -r '.[].name' \
| while read rg; do
echo $rg;
az network vnet list -g $rg --query '[*].addressSpace.addressPrefixes';
@s4parke
s4parke / run-psAzD.ps1
Created October 20, 2022 12:54 — forked from hkarthik7/run-psAzD.ps1
# import module
Import-Module psAzD
# set default parameters
$params = @{
Organization = "myOrganization"
Project = "Test"
PersonalAccessToken = "Azure DevOps Personal Access Token here"
}
Set-AzDDefaultParameters @params
@s4parke
s4parke / ResourcesHealthyUnhealthy.kql
Created August 1, 2022 18:58
Returns a list of all unhealthy resources with their assessment counts
securityresources
| where type == "microsoft.security/assessments"
| extend assessmentDisplayName = coalesce(properties.displayName, properties.metadata.displayName)
| where properties.status.code == "Unhealthy"
| where assessmentDisplayName startswith "[Publix]"
| extend assessmentStatusCode = tolower(tostring(properties.status.code)), id = tolower(id)
| extend severity = iff(assessmentStatusCode == "unhealthy", tolower(tostring(properties.metadata.severity)), assessmentStatusCode)
| extend exemptionType = iff(properties.status.cause == "Exempt", "Yes", "No")
| extend resourceDetails = properties.resourceDetails, additionalData = properties.additionalData
| extend source = tolower(tostring(resourceDetails.Source))
@s4parke
s4parke / LogAnalyticsTableSize.kql
Created July 30, 2022 02:17
Kusto query for table size, number of entries, isBillable, recency in AZ log analytics
union withsource=TableName1 *
| where TimeGenerated > ago(30d)
| summarize
Entries = count(),
Size = sum(_BilledSize),
last_log = datetime_diff("second", now(), max(TimeGenerated)),
estimate = sumif(_BilledSize, _IsBillable == true)
by TableName1, _IsBillable
| project
['Table Name'] = TableName1,
@s4parke
s4parke / 003-1005.json
Last active July 27, 2022 15:31
When Azure SQL is provisioned, IP firewall rules shall be created to allow a whitelist of approved NAT IP addresses and deny all other traffic.
{
"properties": {
"displayName": "SQL Firewall rules shall contain approved IP addresses",
"policyType": "Custom",
"mode": "All",
"description": "When Azure SQL is provisioned, IP firewall rules shall be created to allow a whitelist of approved NAT IP addresses and deny all other traffic. ",
"metadata": {
"displayName": "Policy Effect",
"description": "The Policy Effect associated with this Policy Definition"
},