turbot/azure_insights

Query: compute_virtual_machine_by_vulnerability_assessment_solution

Usage

powerpipe query azure_insights.query.compute_virtual_machine_by_vulnerability_assessment_solution

SQL

with defender_enabled_vms as (
select
distinct a.vm_id as vm_id
from
azure_compute_virtual_machine as a,
jsonb_array_elements(extensions) as b
where
b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows'])
and b ->> 'ProvisioningState' = 'Succeeded'
),
agent_installed_vm as (
select
distinct a.vm_id as vm_id
from
defender_enabled_vms as a
left join azure_compute_virtual_machine as w on w.vm_id = a.vm_id,
jsonb_array_elements(extensions) as b
where
b ->> 'Publisher' = 'Qualys'
and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter'])
and b ->> 'ProvisioningState' = 'Succeeded'
)
select
status,
count(*)
from (
select b.vm_id,
case when b.vm_id is not null then
'enabled'
else
'disabled'
end status
from
azure_compute_virtual_machine as a
left join agent_installed_vm as b on a.vm_id = b.vm_id) as vm
group by
status
order by
status;

Dashboards

The query is used in the dashboards: