Control: Microsoft Antimalware for Azure should be configured to automatically update protection signatures
Description
This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.compute_vm_malware_agent_automatic_upgrade_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.compute_vm_malware_agent_automatic_upgrade_enabled --shareSQL
This control uses a named query:
with malware_agent_installed_vm as ( select distinct a.vm_id from azure_compute_virtual_machine as a, jsonb_array_elements(extensions) as b where b ->> 'Publisher' = 'Microsoft.Azure.Security' and b ->> 'ExtensionType' = 'IaaSAntimalware' and b ->> 'AutoUpgradeMinorVersion' = 'true')select a.vm_id as resource, case when a.os_type <> 'Windows' then 'skip' when b.vm_id is not null then 'ok' else 'alarm' end as status, case when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.' when b.vm_id is not null then a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' else a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_virtual_machine as a left join malware_agent_installed_vm as b on a.vm_id = b.vm_id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;