[create-pull-request] automated change

checklists-ext/fullwaf_checklist.en.json

@@ -2409,6 +2409,7 @@
             "checklist": "Container Apps Review",
             "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
             "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+            "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)",
             "service": "Container Apps",
             "severity": "High",
             "text": "Leverage Availability Zones if regionally applicable",
@@ -2419,6 +2420,7 @@
             "checklist": "Container Apps Review",
             "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
             "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+            "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)",
             "service": "Container Apps",
             "severity": "High",
             "text": "Use more than one replica and enable Zone Redundancy.",
@@ -2763,6 +2765,7 @@
         {
             "arm-service": "Microsoft.AVS/privateClouds",
             "checklist": "Azure VMware Solution Design Review",
+            "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')",
             "guid": "334fdf91-c234-4182-a652-75269440b4be",
             "service": "AVS",
             "severity": "Medium",
@@ -3006,6 +3009,7 @@
         {
             "arm-service": "Microsoft.AVS/privateClouds",
             "checklist": "Azure VMware Solution Design Review",
+            "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id",
             "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
             "service": "AVS",
             "severity": "High",
@@ -3015,6 +3019,7 @@
         {
             "arm-service": "Microsoft.AVS/privateClouds",
             "checklist": "Azure VMware Solution Design Review",
+            "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id",
             "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
             "service": "AVS",
             "severity": "High",
@@ -3024,6 +3029,7 @@
         {
             "arm-service": "Microsoft.AVS/privateClouds",
             "checklist": "Azure VMware Solution Design Review",
+            "graph": "resources| distinct subscriptionId| join kind=leftouter(    resources    | where type =~ 'microsoft.insights/activitylogalerts'    | mv-expand condition1 = properties.condition.allOf    | mv-expand condition2 = condition1.anyOf    | extend alertEnabled = tostring(properties.enabled)    | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled    | where set_has_element(set_condition1, 'ServiceHealth')    | extend category = 'ServiceHealth'    | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false)    | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident')))    | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance')))    | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired')))    | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security')))    | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security)    | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId)     on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)",
             "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
             "service": "AVS",
             "severity": "High",
@@ -5457,6 +5463,7 @@
         {
             "arm-service": "Microsoft.Network/networkSecurityGroups",
             "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant",
             "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
             "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
             "service": "NSG",
@@ -5479,6 +5486,7 @@
         {
             "arm-service": "Microsoft.Network/networkSecurityGroups",
             "checklist": "Azure Landing Zone Review",
+            "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter (    resources    | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded'    | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/'    | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId)    )    on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant",
             "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
             "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
             "service": "NSG",