turbot/azure_compliance

Query: compute_vm_malware_agent_installed

Usage

powerpipe query azure_compliance.query.compute_vm_malware_agent_installed

SQL

with malware_agent_installed_vm as (
select
distinct a.vm_id
from
azure_compute_virtual_machine as a,
jsonb_array_elements(extensions) as b
where
b ->> 'Publisher' = 'Microsoft.Azure.Security'
and b ->> 'ExtensionType' = 'IaaSAntimalware'
)
select
a.vm_id as resource,
case
when b.vm_id is not null then 'ok'
else 'alarm'
end as status,
case
when b.vm_id is not null then a.title || ' IaaSAntimalware extension installed.'
else a.title || ' IaaSAntimalware extension not installed.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_compute_virtual_machine as a
left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id;

Controls

The query is being used by the following controls: