turbot/azure_insights

Query: compute_virtual_machine_vulnerability_assessment_solution

Usage

powerpipe query azure_insights.query.compute_virtual_machine_vulnerability_assessment_solution

SQL

with defender_enabled_vms as (
select
distinct a.vm_id as vm_id
from
azure_compute_virtual_machine as a,
jsonb_array_elements(extensions) as b
where
b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows'])
and b ->> 'ProvisioningState' = 'Succeeded'
),
agent_installed_vm as (
select
distinct a.vm_id as vm_id
from
defender_enabled_vms as a
left join azure_compute_virtual_machine as w on lower(w.vm_id) = lower(a.vm_id),
jsonb_array_elements(extensions) as b
where
b ->> 'Publisher' = 'Qualys'
and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter'])
and b ->> 'ProvisioningState' = 'Succeeded'
)
select
'Vulnerability Assessment' as label,
case when b.vm_id is not null then 'Enabled' else 'Disabled' end as value,
case when b.vm_id is not null then 'ok' else 'alert' end as type
from
azure_compute_virtual_machine as a
left join agent_installed_vm as b on lower(a.vm_id) = lower(b.vm_id)
where
lower(id) = $1
and subscription_id = split_part($1, '/', 3);

Dashboards

The query is used in the dashboards: