turbot/azure_compliance

Query: compute_vm_vulnerability_assessment_solution_enabled

Usage

powerpipe query azure_compliance.query.compute_vm_vulnerability_assessment_solution_enabled

SQL

with defender_enabled_vms as (
select
distinct a.vm_id as vm_id
from
azure_compute_virtual_machine as a,
jsonb_array_elements(extensions) as b
where
b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows'])
and b ->> 'ProvisioningState' = 'Succeeded'
),
agent_installed_vm as (
select
distinct a.vm_id as vm_id
from
defender_enabled_vms as a
left join azure_compute_virtual_machine as w on w.vm_id = a.vm_id,
jsonb_array_elements(extensions) as b
where
b ->> 'Publisher' = 'Qualys'
and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter'])
and b ->> 'ProvisioningState' = 'Succeeded'
)
select
a.vm_id as resource,
case
when b.vm_id is not null then 'ok'
else 'alarm'
end as status,
case
when b.vm_id is not null then a.title || ' have vulnerability assessment solution enabled.'
else a.title || ' have vulnerability assessment solution disabled.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_compute_virtual_machine as a
left join agent_installed_vm as b on a.vm_id = b.vm_id,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id;

Controls

The query is being used by the following controls: