The following query fails with 2 ParserFailure errors, both on line 5. At least that's where the query builder shows the red curly line.
The intention of this query is probably obvious to the Azure KQL initiates, but I'll explain nonetheless just to make sure it's clear. This query should list all NSGs that do not have either one of the rules named "AllowThis" or "AllowThat".
Resources
| where type == "microsoft.network/networksecuritygroups"
| where isnotempty(properties.securityRules)
| where not(properties.securityRules
| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat"))
| project NSGName = name
| order by NSGName asc
It would even be nicer if the table shows the actual missing rule(s) for the listed NSGs, but I have no idea where to start with that.
Does anyone have a working version of this type of query? Having to go through a lot of NSGs manually can't be the answer.
I have tried multiple variations of the query, but I couldn't find a single working version.
Below are my findings and observations from the query posted in question. Lines 1 to 3 looks good and will give you list of NSG resources which has values for "securityRules" field.
| where not(properties.securityRules)I am not sure what are you trying to achieve in this step. The not() takes bool values as mentioned in the documentation.| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat")There is no need to usetolower()when you are using =~ as this supports case-insensitive match. Also under "securityRules" in NSG json object there is no field named as "ruleName", however there is a field "name". Please find the document for the same - Link. You can use the same documentation to check for the fields available to query NSG resource data.When you are trying to write condition for "AllowThis" or "AllowThat" in Azure Resource Graph Explorer you should use the syntax
properties.securityRules.name == "allowthis" or properties.securityRules.name == "allowthat"If you write anything within quotes it will be taken as single string. Hence in your query "allowthis|allowthat" will be considered as a single string.