Merge branch 'main' into patch-1

Author: Zimmergren

.github/workflows/defender-for-devops.yml

@@ -0,0 +1,20 @@
+name: MSDefenderDevOps
+on:
+  push:
+    branches: [ main ]
+jobs:
+  DevSec:
+    name: Microsoft Defender for DevOps
+    runs-on: windows-latest
+    steps:
+      - uses: actions/[email protected]
+      - uses: actions/setup-dotnet@v1
+        with:
+          dotnet-version: 6.0.x
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@preview
+        id: msdo
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}

ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation.csproj

@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net6.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.ApplicationInsights" Version="2.21.0" />
+    <PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.21.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="7.0.0" />
+  </ItemGroup>
+
+</Project>

ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.33530.505
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ApplicationInsights.RedactSensitiveInformation", "ApplicationInsights.RedactSensitiveInformation.csproj", "{9D050C42-82AF-435D-9B6B-F100738B19D8}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{9D050C42-82AF-435D-9B6B-F100738B19D8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9D050C42-82AF-435D-9B6B-F100738B19D8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9D050C42-82AF-435D-9B6B-F100738B19D8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9D050C42-82AF-435D-9B6B-F100738B19D8}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {A9217409-DA3A-49F2-9C6C-B5517E73837E}
+	EndGlobalSection
+EndGlobal

ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation/Program.cs

@@ -0,0 +1,57 @@
+// Necessary using statements.
+using ApplicationInsights.RedactSensitiveInformation;
+using Microsoft.ApplicationInsights;
+using Microsoft.ApplicationInsights.Extensibility;
+using Microsoft.ApplicationInsights.WorkerService;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.ApplicationInsights;
+
+// DEMO ONLY: Don't put credentials in code - use Azure Key Vault, or applicable protected configuration services.
+// I am using the connection string in code for clarity and avoiding unnecessary logic that distracts from the focus of the demo.
+const string connectionString = "InstrumentationKey=<GUID>;IngestionEndpoint=https://<endpoint>.in.applicationinsights.azure.com/;LiveEndpoint=https://<endpoint>.livediagnostics.monitor.azure.com/";
+
+#region Wire-up
+
+//
+// Wire-up.
+// 
+IServiceCollection services = new ServiceCollection();
+
+// Add ApplicationInsightsLoggerProvider logger.
+services.AddLogging(loggingBuilder => loggingBuilder.AddFilter<ApplicationInsightsLoggerProvider>("Category", LogLevel.Information));
+
+// Add Application Insights logic (ApplicationInsightsTelemetryWorkerService)
+services.AddApplicationInsightsTelemetryWorkerService((ApplicationInsightsServiceOptions options) => options.ConnectionString = connectionString);
+
+
+// NOTE: Injecting the SensitivityRedaction initializer.
+services.AddSingleton<ITelemetryInitializer, SensitivityRedactionTelemetryInitializer>();
+
+
+IServiceProvider serviceProvider = services.BuildServiceProvider();
+
+#endregion
+
+
+//
+// NOTE: Program logic to demonstrate
+//
+
+// Get the app insights ILogger from the service provider. 
+ILogger<Program> logger = serviceProvider.GetRequiredService<ILogger<Program>>();
+
+
+// Sending a few log messages. Some include PII, some does not. 
+logger.LogWarning("This is a log message without PII.");
+logger.LogWarning("This is a log message with an e-mail: [email protected]");
+logger.LogWarning("This is another message with [email protected], and [email protected]");
+logger.LogWarning("Users access restrictions changed for: [email protected];[email protected], new access level is 'Reader' on resource '123'");
+
+
+// For demo purposes in our console app. 
+// Used to directly flush the buffer before we quit the app.
+var telemetryClient = serviceProvider.GetRequiredService<TelemetryClient>();
+telemetryClient.Flush();
+Task.Delay(5000).Wait();
+           

ApplicationInsights.RedactSensitiveInformation/ApplicationInsights.RedactSensitiveInformation/SensitivityRedactionTelemetryInitializer.cs

@@ -0,0 +1,26 @@
+using Microsoft.ApplicationInsights.Channel;
+using Microsoft.ApplicationInsights.DataContracts;
+using Microsoft.ApplicationInsights.Extensibility;
+using System.Text.RegularExpressions;
+
+namespace ApplicationInsights.RedactSensitiveInformation
+{
+    /// <summary>
+    /// Redacts standardized sensitive information from the trace messages.
+    /// </summary>
+    internal class SensitivityRedactionTelemetryInitializer : ITelemetryInitializer
+    {
+        public void Initialize(ITelemetry t)
+        {
+            var traceTelemetry = t as TraceTelemetry;
+            if (traceTelemetry != null)
+            {
+                // Use Regex to replace any e-mail address with a replacement string.
+                traceTelemetry.Message = Regex.Replace(traceTelemetry.Message, @"\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*", "[PII REDACTED]");
+                
+                // If we don't remove this CustomDimension, the telemetry message will still contain the PII in the "OriginalFormat" property.
+                traceTelemetry.Properties.Remove("OriginalFormat");
+            }
+        }
+    }
+}

DefenderDevOps/DefenderForDevOps/DefenderForDevOps.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.3.32929.385
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DummyApp", "DummyApp\DummyApp.csproj", "{DAC34EDD-8B17-47A4-BC8A-38B960545DD7}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{DAC34EDD-8B17-47A4-BC8A-38B960545DD7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{DAC34EDD-8B17-47A4-BC8A-38B960545DD7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{DAC34EDD-8B17-47A4-BC8A-38B960545DD7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{DAC34EDD-8B17-47A4-BC8A-38B960545DD7}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {1006202C-5240-480B-B4AA-B5B69202EADC}
+	EndGlobalSection
+EndGlobal

DefenderDevOps/DefenderForDevOps/DummyApp/DummyApp.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net6.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.25.0" />
+  </ItemGroup>
+
+</Project>

DefenderDevOps/DefenderForDevOps/DummyApp/Program.cs

@@ -0,0 +1,9 @@
+// See https://aka.ms/new-console-template for more information
+Console.WriteLine("Hello, World!");
+
+// Dummy samples of secrets in code. CredScan should hopefully pick this up.
+var test1 = "DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;";
+var test2 = "jdbc:postgresql://mydb.b5uacpxznijm.us-west-2.rds.amazonaws.com:5432/ebdb?user=username&password=mypassword";
+var sasTest = "BlobEndpoint=https://sastestdummy.blob.core.windows.net/;QueueEndpoint=https://sastestdummy.queue.core.windows.net/;FileEndpoint=https://sastestdummy.file.core.windows.net/;TableEndpoint=https://sastestdummy.table.core.windows.net/;SharedAccessSignature=sv=2021-06-08&ss=bfqt&srt=s&sp=rwdlacupiytfx&se=2022-11-01T02:08:27Z&st=2022-10-31T18:08:27Z&spr=https&sig=aEpff6lffaCfC2fiLvfOf%2FfP6f7rKyftJGfAdnfgf4wg%3D";
+
+var azureTableStorageDummy = "DefaultEndpointsProtocol=https;AccountName=foobardumdum;AccountKey=h1QWNse3ydtVL2EGTreEMtldl7R132T1poLQdzXpV/t0j84lQphjf2MP78HrtiSYyQu6PTvAda0s+AStr+W4wg==;EndpointSuffix=core.windows.net";

DefenderDevOps/DefenderForDevOps/DummyApp/config.json

@@ -0,0 +1,5 @@
+{
+  "azureConnectionStringDummy": "DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=https://sastestdummy.blob.core.windows.net/;QueueEndpoint=https://sastestdummy.queue.core.windows.net/;FileEndpoint=https://sastestdummy.file.core.windows.net/;TableEndpoint=https://sastestdummy.table.core.windows.net/",
+  "sasCredentialDummy": "BlobEndpoint=https://sastestdummy.blob.core.windows.net/;QueueEndpoint=https://sastestdummy.queue.core.windows.net/;FileEndpoint=https://sastestdummy.file.core.windows.net/;TableEndpoint=https://sastestdummy.table.core.windows.net/;SharedAccessSignature=sv=2021-06-08&ss=bfqt&srt=s&sp=rwdlacupiytfx&se=2022-11-01T02:08:27Z&st=2022-10-31T18:08:27Z&spr=https&sig=aEpff6lffaCfC2fiLvfOf%2FfP6f7rKyftJGfAdnfgf4wg%3D",
+  "awsDbDummy": "jdbc:postgresql://mydb.b5uacpxznijm.us-west-2.rds.amazonaws.com:5432/ebdb?user=username&password=mypassword"
+}

DefenderDevOps/dummy-arm-template.json

@@ -0,0 +1,125 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "webAppName": {
+        "type": "string",
+        "defaultValue": "[concat('webApp-', uniqueString(resourceGroup().id))]",
+        "minLength": 2,
+        "metadata": {
+          "description": "Web app name."
+        }
+      },
+      "location": {
+        "type": "string",
+        "defaultValue": "[resourceGroup().location]",
+        "metadata": {
+          "description": "Location for all resources."
+        }
+      },
+      "sku": {
+        "type": "string",
+        "defaultValue": "F1",
+        "metadata": {
+          "description": "The SKU of App Service Plan."
+        }
+      },
+      "language": {
+        "type": "string",
+        "defaultValue": ".net",
+        "allowedValues": [
+          ".net",
+          "php",
+          "node",
+          "html"
+        ],
+        "metadata": {
+          "description": "The language stack of the app."
+        }
+      },
+      "helloWorld": {
+        "type": "bool",
+        "defaultValue": false,
+        "metadata": {
+          "description": "true = deploy a sample Hello World app."
+        }
+      },
+      "repoUrl": {
+        "type": "string",
+        "defaultValue": "",
+        "metadata": {
+          "description": "Optional Git Repo URL"
+        }
+      }
+    },
+    "variables": {
+      "appServicePlanPortalName": "[concat('AppServicePlan-', parameters('webAppName'))]",
+      "gitRepoReference": {
+        ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started",
+        "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world",
+        "php": "https://github.com/Azure-Samples/php-docs-hello-world",
+        "html": "https://github.com/Azure-Samples/html-docs-hello-world"
+      },
+      "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]",
+      "configReference": {
+        ".net": {
+          "comments": ".Net app. No additional configuration needed."
+        },
+        "html": {
+          "comments": "HTML app. No additional configuration needed."
+        },
+        "php": {
+          "phpVersion": "7.4"
+        },
+        "node": {
+          "appSettings": [
+            {
+              "name": "WEBSITE_NODE_DEFAULT_VERSION",
+              "value": "12.15.0"
+            }
+          ]
+        }
+      }
+    },
+    "resources": [
+      {
+        "type": "Microsoft.Web/serverfarms",
+        "apiVersion": "2020-06-01",
+        "name": "[variables('appServicePlanPortalName')]",
+        "location": "[parameters('location')]",
+        "sku": {
+          "name": "[parameters('sku')]"
+        }
+      },
+      {
+        "type": "Microsoft.Web/sites",
+        "apiVersion": "2020-06-01",
+        "name": "[parameters('webAppName')]",
+        "location": "[parameters('location')]",
+        "dependsOn": [
+          "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
+        ],
+        "properties": {
+          "siteConfig": "[variables('configReference')[parameters('language')]]",
+          "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
+        },
+        "resources": [
+          {
+            "condition": "[contains(variables('gitRepoUrl'),'http')]",
+            "type": "sourcecontrols",
+            "apiVersion": "2020-06-01",
+            "name": "web",
+            "location": "[parameters('location')]",
+            "dependsOn": [
+              "[resourceId('Microsoft.Web/sites', parameters('webAppName'))]"
+            ],
+            "properties": {
+              "repoUrl": "[variables('gitRepoUrl')]",
+              "branch": "master",
+              "isManualIntegration": true
+            }
+          }
+        ]
+      }
+    ]
+  }