From fc405c20f6446f6b8814a4377b0a64772ccea68d Mon Sep 17 00:00:00 2001
From: Sayantan Ghosh <37360255+sayghosh@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:36:48 +0530
Subject: [PATCH 1/5] Adding query related to NSG rule

---
 .../sayghosh/NGSRulesAllowingPublicIPs.txt    | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt

diff --git a/src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt b/src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt
new file mode 100644
index 0000000..0ead09b
--- /dev/null
+++ b/src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt
@@ -0,0 +1,23 @@
+/*
+ * The below query targets to filter all the NSG rules which is configured to allow public IPs.
+ * The data source for the below query is Azure Resource Graph RP.
+ */
+
+Resources
+| where type =~ "microsoft.network/networksecuritygroups"
+| project nsgRules = parse_json(parse_json(properties).securityRules), NSG = name, subscriptionId, resourceGroup
+| mvexpand nsgRule = nsgRules
+| where nsgRule.properties.access =~ "allow" and nsgRule.properties.priority < 65000
+| project sourceAddressPrefix = nsgRule.properties.sourceAddressPrefix, sourceAddressPrefixes = nsgRule.properties.sourceAddressPrefixes,
+ destinationAddressPrefix = nsgRule.properties.destinationAddressPrefix, destinationAddressPrefixes = nsgRule.properties.destinationAddressPrefixes, NSG, NSGRule = tostring(nsgRule.name), subscriptionId, resourceGroup
+| project sourceIPs = iif(array_length(sourceAddressPrefixes) == 0, pack_array(sourceAddressPrefix), sourceAddressPrefixes), 
+destIPs = iif(array_length(destinationAddressPrefixes) == 0, pack_array(destinationAddressPrefix), destinationAddressPrefixes), NSG, NSGRule, subscriptionId, resourceGroup
+| mvexpand ipRange = array_concat(sourceIPs, destIPs) to typeof(string)
+| extend ipRangeSplit = split(ipRange, "/")
+| extend ipRangeStart = parse_ipv4(tostring(ipRangeSplit[0])), 
+ipRangeEnd = iif(array_length(ipRangeSplit) == 2, tolong(parse_ipv4(tostring(ipRangeSplit[0])) + pow(2, 32 - toint(ipRangeSplit[1])) - 1), parse_ipv4(tostring(ipRangeSplit[0])))
+| extend ContainsPrivateIp = iif((ipRangeStart >= parse_ipv4("10.0.0.0") and ipRangeEnd <= parse_ipv4("10.255.255.255")) 
+or (ipRangeStart >= parse_ipv4("172.16.0.0") and ipRangeEnd <= parse_ipv4("172.31.255.255")) 
+or (ipRangeStart >= parse_ipv4("192.168.0.0") and ipRangeEnd <= parse_ipv4("192.168.255.255")), true, ipRange != "*" and array_length(ipRangeSplit) == 1 and isnull(parse_ipv4(ipRange)))
+| where ContainsPrivateIp == false
+| summarize violatingIpRanges = makeset(ipRange) by NSG, NSGRule, subscriptionId, resourceGroup

From 78aa101fe0fc634c2a6be8a7537e7e21dc50fe4c Mon Sep 17 00:00:00 2001
From: Sayantan Ghosh <37360255+sayghosh@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:37:29 +0530
Subject: [PATCH 2/5] Renaming the file

---
 ...GSRulesAllowingPublicIPs.txt => NSGRulesAllowingPublicIPs.txt} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename src/resource-graph/queries/sayghosh/{NGSRulesAllowingPublicIPs.txt => NSGRulesAllowingPublicIPs.txt} (100%)

diff --git a/src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt b/src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt
similarity index 100%
rename from src/resource-graph/queries/sayghosh/NGSRulesAllowingPublicIPs.txt
rename to src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt

From 2a2f6b556ef24e70616d3c8f36aed02ba1065cfa Mon Sep 17 00:00:00 2001
From: Sayantan Ghosh <37360255+sayghosh@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:46:00 +0530
Subject: [PATCH 3/5] Updating folder name

---
 .../NSGQueries/NSGRulesAllowingPublicIPs.txt  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt

diff --git a/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt b/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt
new file mode 100644
index 0000000..0ead09b
--- /dev/null
+++ b/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt
@@ -0,0 +1,23 @@
+/*
+ * The below query targets to filter all the NSG rules which is configured to allow public IPs.
+ * The data source for the below query is Azure Resource Graph RP.
+ */
+
+Resources
+| where type =~ "microsoft.network/networksecuritygroups"
+| project nsgRules = parse_json(parse_json(properties).securityRules), NSG = name, subscriptionId, resourceGroup
+| mvexpand nsgRule = nsgRules
+| where nsgRule.properties.access =~ "allow" and nsgRule.properties.priority < 65000
+| project sourceAddressPrefix = nsgRule.properties.sourceAddressPrefix, sourceAddressPrefixes = nsgRule.properties.sourceAddressPrefixes,
+ destinationAddressPrefix = nsgRule.properties.destinationAddressPrefix, destinationAddressPrefixes = nsgRule.properties.destinationAddressPrefixes, NSG, NSGRule = tostring(nsgRule.name), subscriptionId, resourceGroup
+| project sourceIPs = iif(array_length(sourceAddressPrefixes) == 0, pack_array(sourceAddressPrefix), sourceAddressPrefixes), 
+destIPs = iif(array_length(destinationAddressPrefixes) == 0, pack_array(destinationAddressPrefix), destinationAddressPrefixes), NSG, NSGRule, subscriptionId, resourceGroup
+| mvexpand ipRange = array_concat(sourceIPs, destIPs) to typeof(string)
+| extend ipRangeSplit = split(ipRange, "/")
+| extend ipRangeStart = parse_ipv4(tostring(ipRangeSplit[0])), 
+ipRangeEnd = iif(array_length(ipRangeSplit) == 2, tolong(parse_ipv4(tostring(ipRangeSplit[0])) + pow(2, 32 - toint(ipRangeSplit[1])) - 1), parse_ipv4(tostring(ipRangeSplit[0])))
+| extend ContainsPrivateIp = iif((ipRangeStart >= parse_ipv4("10.0.0.0") and ipRangeEnd <= parse_ipv4("10.255.255.255")) 
+or (ipRangeStart >= parse_ipv4("172.16.0.0") and ipRangeEnd <= parse_ipv4("172.31.255.255")) 
+or (ipRangeStart >= parse_ipv4("192.168.0.0") and ipRangeEnd <= parse_ipv4("192.168.255.255")), true, ipRange != "*" and array_length(ipRangeSplit) == 1 and isnull(parse_ipv4(ipRange)))
+| where ContainsPrivateIp == false
+| summarize violatingIpRanges = makeset(ipRange) by NSG, NSGRule, subscriptionId, resourceGroup

From 23b61fbd92c8fc8caf661dd17c473ad4bb850a8d Mon Sep 17 00:00:00 2001
From: Sayantan Ghosh <37360255+sayghosh@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:46:28 +0530
Subject: [PATCH 4/5] Updating folder name

---
 .../sayghosh/NSGRulesAllowingPublicIPs.txt    | 23 -------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt

diff --git a/src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt b/src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt
deleted file mode 100644
index 0ead09b..0000000
--- a/src/resource-graph/queries/sayghosh/NSGRulesAllowingPublicIPs.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * The below query targets to filter all the NSG rules which is configured to allow public IPs.
- * The data source for the below query is Azure Resource Graph RP.
- */
-
-Resources
-| where type =~ "microsoft.network/networksecuritygroups"
-| project nsgRules = parse_json(parse_json(properties).securityRules), NSG = name, subscriptionId, resourceGroup
-| mvexpand nsgRule = nsgRules
-| where nsgRule.properties.access =~ "allow" and nsgRule.properties.priority < 65000
-| project sourceAddressPrefix = nsgRule.properties.sourceAddressPrefix, sourceAddressPrefixes = nsgRule.properties.sourceAddressPrefixes,
- destinationAddressPrefix = nsgRule.properties.destinationAddressPrefix, destinationAddressPrefixes = nsgRule.properties.destinationAddressPrefixes, NSG, NSGRule = tostring(nsgRule.name), subscriptionId, resourceGroup
-| project sourceIPs = iif(array_length(sourceAddressPrefixes) == 0, pack_array(sourceAddressPrefix), sourceAddressPrefixes), 
-destIPs = iif(array_length(destinationAddressPrefixes) == 0, pack_array(destinationAddressPrefix), destinationAddressPrefixes), NSG, NSGRule, subscriptionId, resourceGroup
-| mvexpand ipRange = array_concat(sourceIPs, destIPs) to typeof(string)
-| extend ipRangeSplit = split(ipRange, "/")
-| extend ipRangeStart = parse_ipv4(tostring(ipRangeSplit[0])), 
-ipRangeEnd = iif(array_length(ipRangeSplit) == 2, tolong(parse_ipv4(tostring(ipRangeSplit[0])) + pow(2, 32 - toint(ipRangeSplit[1])) - 1), parse_ipv4(tostring(ipRangeSplit[0])))
-| extend ContainsPrivateIp = iif((ipRangeStart >= parse_ipv4("10.0.0.0") and ipRangeEnd <= parse_ipv4("10.255.255.255")) 
-or (ipRangeStart >= parse_ipv4("172.16.0.0") and ipRangeEnd <= parse_ipv4("172.31.255.255")) 
-or (ipRangeStart >= parse_ipv4("192.168.0.0") and ipRangeEnd <= parse_ipv4("192.168.255.255")), true, ipRange != "*" and array_length(ipRangeSplit) == 1 and isnull(parse_ipv4(ipRange)))
-| where ContainsPrivateIp == false
-| summarize violatingIpRanges = makeset(ipRange) by NSG, NSGRule, subscriptionId, resourceGroup

From 21248a5588c24485d4aca1a0f0d504e7e06a81ab Mon Sep 17 00:00:00 2001
From: Sayantan Ghosh <37360255+sayghosh@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:48:04 +0530
Subject: [PATCH 5/5] Updating a variable name

---
 .../queries/NSGQueries/NSGRulesAllowingPublicIPs.txt          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt b/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt
index 0ead09b..153bfbd 100644
--- a/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt
+++ b/src/resource-graph/queries/NSGQueries/NSGRulesAllowingPublicIPs.txt
@@ -16,8 +16,8 @@ destIPs = iif(array_length(destinationAddressPrefixes) == 0, pack_array(destinat
 | extend ipRangeSplit = split(ipRange, "/")
 | extend ipRangeStart = parse_ipv4(tostring(ipRangeSplit[0])), 
 ipRangeEnd = iif(array_length(ipRangeSplit) == 2, tolong(parse_ipv4(tostring(ipRangeSplit[0])) + pow(2, 32 - toint(ipRangeSplit[1])) - 1), parse_ipv4(tostring(ipRangeSplit[0])))
-| extend ContainsPrivateIp = iif((ipRangeStart >= parse_ipv4("10.0.0.0") and ipRangeEnd <= parse_ipv4("10.255.255.255")) 
+| extend RuleContainsOnlyPrivateIpOrTags = iif((ipRangeStart >= parse_ipv4("10.0.0.0") and ipRangeEnd <= parse_ipv4("10.255.255.255")) 
 or (ipRangeStart >= parse_ipv4("172.16.0.0") and ipRangeEnd <= parse_ipv4("172.31.255.255")) 
 or (ipRangeStart >= parse_ipv4("192.168.0.0") and ipRangeEnd <= parse_ipv4("192.168.255.255")), true, ipRange != "*" and array_length(ipRangeSplit) == 1 and isnull(parse_ipv4(ipRange)))
-| where ContainsPrivateIp == false
+| where RuleContainsOnlyPrivateIpOrTags == false
 | summarize violatingIpRanges = makeset(ipRange) by NSG, NSGRule, subscriptionId, resourceGroup