Control Definition

A control is defined in YAML and it's definition contains ID, Title, Description, IntegrationType, Query, Severity, and Tags. Every control will have a unique ID.

sample-control.yaml
ID: azure_application_gateway_waf_enabled
Title: Web Application Firewall (WAF) should be enabled for Application Gateway
Description: Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions.
IntegrationType:
  - azure_subscription
Query:
  Engine: CloudQL-v0.0.1
  ListOfTables:
    - azure_application_gateway
    - azure_subscription
  Parameters: []
  PrimaryTable: azure_application_gateway
  QueryToExecute: |
    SELECT
      ag.id AS resource,
      ag.platform_account_id AS platform_account_id,
      ag.platform_resource_id AS platform_resource_id,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN 'ok'
        ELSE 'alarm'
      END AS status,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN ag.name || ' WAF enabled.'
        ELSE ag.name || ' WAF disabled.'
      END AS reason,
      ag.resource_group AS resource_group,
      sub.display_name AS subscription
    FROM
      azure_application_gateway AS ag
    JOIN
      azure_subscription AS sub
    ON
      sub.subscription_id = ag.subscription_id;
Severity: high
Tags:
  nist_sp_800_53_rev_5:
    - "true"
  service:
    - "Azure/Network"

For a Query to be usable in a Control, it needs have the following:

  1. Contain the required components: Engine, ListOfTables, Parameters, PrimaryTable, QueryToExecute

  2. Define Compliance and Non-Compliance Cases: Clearly outline conditions for both ok (compliant) and alarm (non-compliant) scenarios.

  3. Provide Reasons for Each Case: Offer detailed, human-readable explanations for the compliance status, such as "Authentication is enabled" or "Key is too old."

  4. Flag the Primary Table & ListOfTables

    1. Primary Table is required to attribute Audit incidents to the right table and control. For example the above control refers to multiple tables and columns, but we want to attribute the incidents to a single table.

    2. ListOfTables is used to help you find the controls that are relavent

  5. Maintain a Consistent Output Structure: Include the following fields:

    • Status: ok, alarm, or skip

    • Reason: Explanation for the status

    • Resource Identifier: Specific resource being evaluated

    • Additional Metadata: Supporting details like account ID and region

This query ensures reliable compliance evaluation by defining clear conditions and providing actionable outputs.

References

PreviousControlsNextWrite Your First Control

Last updated