feat: complete enterprise security model audit hardening#7
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f1d48765a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| with: | ||
| # Upload entire repository | ||
| path: '.' | ||
| path: docs |
There was a problem hiding this comment.
Uploading only docs breaks the existing link in docs/18-hybrid-azure-local.md:35 to ../impl/azure/policy-as-code/README.md, because the impl directory is no longer included in the Pages artifact. On the deployed project site, that relative URL resolves outside the site artifact and returns a missing page; either include the referenced content or replace external-to-docs links with repository URLs.
Useful? React with 👍 / 👎.
| "description": "Detects sign-ins from geographically impossible locations.", | ||
| "query": "// TODO: add KQL query", | ||
| "description": "Flags successful sign-ins for one identity whose calculated travel speed exceeds the review threshold.", | ||
| "query": "let lookback = 1h;\nlet maxTravelSpeedKph = 900.0;\nSigninLogs\n| where TimeGenerated > ago(lookback)\n| where ResultType == 0\n| where isnotempty(LocationDetails.geoCoordinates.latitude) and isnotempty(LocationDetails.geoCoordinates.longitude)\n| project UserPrincipalName, TimeGenerated, IPAddress, Country=tostring(LocationDetails.countryOrRegion), Latitude=todouble(LocationDetails.geoCoordinates.latitude), Longitude=todouble(LocationDetails.geoCoordinates.longitude)\n| sort by UserPrincipalName asc, TimeGenerated asc\n| serialize\n| extend PreviousUser=prev(UserPrincipalName), PreviousTime=prev(TimeGenerated), PreviousCountry=prev(Country), PreviousLatitude=prev(Latitude), PreviousLongitude=prev(Longitude)\n| where UserPrincipalName == PreviousUser and TimeGenerated > PreviousTime and Country != PreviousCountry\n| extend DistanceKm=geo_distance_2points(Longitude, Latitude, PreviousLongitude, PreviousLatitude) / 1000.0, Hours=datetime_diff('second', TimeGenerated, PreviousTime) / 3600.0\n| extend SpeedKph=DistanceKm / Hours\n| where SpeedKph > maxTravelSpeedKph\n| project TimeGenerated, UserPrincipalName, IPAddress, Country, PreviousCountry, DistanceKm, Hours, SpeedKph", |
There was a problem hiding this comment.
The Country != PreviousCountry predicate discards every same-country pair before calculating travel speed. For example, successful sign-ins minutes apart in New York and Los Angeles will never alert despite exceeding maxTravelSpeedKph, contradicting the rule description and leaving a substantial detection gap; calculate speed for all coordinate pairs and use country changes only as optional context or tuning.
Useful? React with 👍 / 👎.
| name: 'keyvault' | ||
| params: { | ||
| location: location | ||
| name: take('kvcsm${environmentName}${suffix}', 24) |
There was a problem hiding this comment.
The unrestricted environmentName is interpolated directly into the Key Vault name, but Key Vault names permit only alphanumeric characters and hyphens. Deployments using otherwise common environment identifiers such as prod_us will pass the Bicep length decorators and compilation but fail when Azure creates the vault; constrain or sanitize the parameter before using it here.
Useful? React with 👍 / 👎.
2 participants
Completes eight GSD audit findings: immutable workflows, repository validation, secure Bicep reference baseline, safe policy and Arc onboarding examples, threat model, evidence integrity contract, and Sentinel detections. Validation passed for Bash, PowerShell, Bicep, JSON, workflow YAML, immutable action pins, and git diff checks.