Network - 26887 - Diagnostic logging is enabled in Azure Firewall#907
Network - 26887 - Diagnostic logging is enabled in Azure Firewall#907aahmed-spec wants to merge 17 commits intomainfrom
Conversation
aahmed-spec
requested review from
SagarSathe,
alexandair,
merill and
tdetzner
There was a problem hiding this comment.
Pull request overview
This pull request adds a new test (ID 26887) to validate that diagnostic logging is enabled for Azure Firewall resources. The test checks whether Azure Firewalls across all subscriptions have diagnostic settings configured with at least one enabled log category and a valid destination (Log Analytics, Storage Account, or Event Hub).
Changes:
- Adds PowerShell test implementation for Azure Firewall diagnostic logging validation
- Adds markdown documentation with remediation guidance and Microsoft Learn references
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.26887.ps1 | New test implementation that queries Azure subscriptions, enumerates Azure Firewall resources, checks diagnostic settings, and generates a detailed report with pass/fail status |
| src/powershell/tests/Test-Assessment.26887.md | Documentation describing the security rationale and providing remediation action steps with links to official Microsoft documentation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@aahmed-spec Please, address my feedback.
| return | ||
| } | ||
| Write-PSFMessage 'No Azure Firewall resources found.' -Tag Test -Level VeryVerbose | ||
| Add-ZtTestResultDetail -SkippedBecause NotLicensedOrNotApplicable |
There was a problem hiding this comment.
NotLicensedOrNotApplicable is not a valid value.
| [ZtTest( | ||
| Category = 'Azure Network Security', | ||
| ImplementationCost = 'Low', | ||
| MinimumLicense = ('Azure_Firewall'), |
There was a problem hiding this comment.
I don't think this is the accurate name for Azure Firewall SKU.
| # If this setting has destination AND enabled logs, it's valid | ||
| if ($settingEnabledCategories.Count -gt 0) { | ||
| $hasValidDiagSetting = $true | ||
| $diagSettingName = $setting.name |
There was a problem hiding this comment.
When a firewall has multiple valid diagnostic settings, only the last one's name is stored in $diagSettingName. The spec says to report the diagnostic setting name. While the report table shows the name, it could be misleading if there are multiple valid settings for one firewall. Consider joining all valid setting names.
| $subscriptions = $null | ||
|
|
||
| try { | ||
| $result = Invoke-AzRestMethod -Path $subscriptionsPath -ErrorAction Stop |
There was a problem hiding this comment.
We agreed to use Invoke-ZtAzureResourceGraphRequest (if possible) and Invoke-ZtAzureRequest instead of Invoke-AzRestMethod.
Azure Firewalls are available in Azure Resource Graph:
resources
| where type == "microsoft.network/azurefirewalls"
You use Invoke-AzRestMethod five times. Please, replace them and change code accordingly.
Fixing PowerShellGet Save-Module
Moving RequiredModules to xplat req modules
…ed to prevent security protection gaps (#892) * initial commit * made few improvements * Trigger validation with current main * resolved Aleks comments * updated comment with changed code * changed lastModifiedDateTime to string for consistancy --------- Co-authored-by: alexandair <alexandair@live.com>
* Disconnect-ZtAssessment: Include All services * Update src/powershell/public/Disconnect-ZtAssessment.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/powershell/public/Disconnect-ZtAssessment.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Addressed copilot feedback * Merged Exchange and security complaince into one cmdlet * Error Action - SilentlyContinue * Add Service and IncludeCleanup parameters --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: alexandair <alexandair@live.com>
* fixing required modules downloader and MSAL abstraction DLL * explicitly import exo * only load and connect to SharePoint and Aip if on Windows * fixing logic and
6 participants
Diagnostic logging is enabled in Azure Firewall
spec