tests/Test-Assessment.26881.ps1
|
<#
.SYNOPSIS Validates that the default managed ruleset is enabled in Application Gateway WAF. .DESCRIPTION This test checks if all Azure Application Gateway WAF policies attached to Application Gateways are enabled and running in Prevention mode, and have a default managed ruleset configured (ruleSetType of Microsoft_DefaultRuleSet or OWASP). A policy fails if it is disabled or running in Detection mode. Without an active WAF policy in Prevention mode, applications are left unprotected against common web attacks including SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. .NOTES Test ID: 26881 Category: Azure Network Security Required API: Azure Resource Graph - ApplicationGatewayWebApplicationFirewallPolicies #> function Test-Assessment-26881 { [ZtTest( Category = 'Azure Network Security', ImplementationCost = 'Low', MinimumLicense = ('Azure WAF'), Pillar = 'Network', RiskLevel = 'High', SfiPillar = 'Protect networks', TenantType = ('Workforce'), TestId = 26881, Title = 'Default Ruleset is enabled in Application Gateway WAF', UserImpact = 'Low' )] [CmdletBinding()] param() #region Data Collection Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose $activity = 'Checking Application Gateway WAF default ruleset configuration' # Check if connected to Azure Write-ZtProgress -Activity $activity -Status 'Checking Azure connection' $azContext = Get-AzContext -ErrorAction SilentlyContinue if (-not $azContext) { Write-PSFMessage 'Not connected to Azure.' -Level Warning Add-ZtTestResultDetail -SkippedBecause NotConnectedAzure return } Write-ZtProgress -Activity $activity -Status 'Querying Azure Resource Graph' # Query all Application Gateway WAF policies attached to Application Gateways using Azure Resource Graph $argQuery = @" resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | where coalesce(array_length(properties.applicationGateways), 0) >= 1 | join kind=leftouter ( resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | project subscriptionName=name, subscriptionId) on subscriptionId | project PolicyName = name, PolicyId = id, SubscriptionName = subscriptionName, SubscriptionId = subscriptionId, EnabledState = tostring(properties.policySettings.state), Mode = tostring(properties.policySettings.mode), ManagedRuleSets = properties.managedRules.managedRuleSets "@ $policies = @() try { $policies = @(Invoke-ZtAzureResourceGraphRequest -Query $argQuery) Write-PSFMessage "ARG Query returned $($policies.Count) records" -Tag Test -Level VeryVerbose } catch { Write-PSFMessage "Azure Resource Graph query failed: $($_.Exception.Message)" -Tag Test -Level Warning Add-ZtTestResultDetail -SkippedBecause NotSupported return } #endregion Data Collection #region Assessment Logic $passed = $false # Skip test if no policies found if ($policies.Count -eq 0) { Write-PSFMessage 'No Application Gateway WAF policies found attached to Application Gateways.' -Tag Test -Level Verbose Add-ZtTestResultDetail -SkippedBecause NotApplicable -Result 'No Application Gateway WAF policies found attached to Application Gateways.' return } # Fail if any policy is not enabled, not in Prevention mode, or missing a default managed ruleset $failingPolicies = $policies | Where-Object { $_.EnabledState -ne 'Enabled' -or $_.Mode -ne 'Prevention' -or ($_.ManagedRuleSets | Where-Object { $_.ruleSetType -eq 'Microsoft_DefaultRuleSet' -or $_.ruleSetType -eq 'OWASP' }).Count -eq 0 } $passed = $failingPolicies.Count -eq 0 if ($passed) { $testResultMarkdown = "✅ All Application Gateway WAF policies attached to Application Gateways are enabled, running in Prevention mode, and have a Default Ruleset (Microsoft_DefaultRuleSet or OWASP) assigned.`n`n%TestResult%" } else { $testResultMarkdown = "❌ One or more Application Gateway WAF policies attached to Application Gateways are disabled or running in Detection mode, leaving applications vulnerable to common web exploits and OWASP Top 10 attacks.`n`n%TestResult%" } #endregion Assessment Logic #region Report Generation $mdInfo = '' $reportTitle = 'Application Gateway WAF policies' $portalLink = 'https://portal.azure.com/#browse/Microsoft.Network%2FapplicationGatewayWebApplicationFirewallPolicies' $tableRows = '' foreach ($policy in $policies | Sort-Object SubscriptionName, PolicyName) { $policyLink = "https://portal.azure.com/#resource$($policy.PolicyId)" $subLink = "https://portal.azure.com/#resource/subscriptions/$($policy.SubscriptionId)" $policyMd = "[$(Get-SafeMarkdown $policy.PolicyName)]($policyLink)" $subMd = "[$(Get-SafeMarkdown $policy.SubscriptionName)]($subLink)" $defaultRuleSet = $policy.ManagedRuleSets | Where-Object { $_.ruleSetType -eq 'Microsoft_DefaultRuleSet' -or $_.ruleSetType -eq 'OWASP' } $enabledStateDisplay = if ($policy.EnabledState -eq 'Enabled') { '✅ Enabled' } else { '❌ Disabled' } $modeDisplay = if ($policy.Mode -eq 'Prevention') { '✅ Prevention' } else { '❌ Detection' } $defaultRuleSetType = $defaultRuleSet.ruleSetType $versionDisplay = if ($defaultRuleSet.ruleSetVersion) { $defaultRuleSet.ruleSetVersion } else { 'N/A' } $statusDisplay = if ($policy.EnabledState -eq 'Enabled' -and $policy.Mode -eq 'Prevention' -and $defaultRuleSet) { '✅' } else { '❌' } $tableRows += "| $policyMd | $subMd | $enabledStateDisplay | $modeDisplay | $defaultRuleSetType | $versionDisplay | $statusDisplay |`n" } $formatTemplate = @' ## [{0}]({1}) | Policy name | Subscription name | Policy state | Mode | Default ruleset type | Ruleset version | Status | | :---------- | :---------------- | :----------- | :--- | :------------------- | :-------------- | :----- | {2} '@ $mdInfo = $formatTemplate -f $reportTitle, $portalLink, $tableRows $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo #endregion Report Generation $params = @{ TestId = '26881' Title = 'Default Ruleset is enabled in Application Gateway WAF' Status = $passed Result = $testResultMarkdown } Add-ZtTestResultDetail @params } |