Control: Deploy default Microsoft IaaSAntimalware extension for Windows Server

Description

This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.compute_vm_malware_agent_installed

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.compute_vm_malware_agent_installed --share

SQL

This control uses a named query:

with malware_agent_installed_vm as (
  select
    distinct a.vm_id
  from
    azure_compute_virtual_machine as a,
    jsonb_array_elements(extensions) as b
  where
    b ->> 'Publisher' = 'Microsoft.Azure.Security'
    and b ->> 'ExtensionType' = 'IaaSAntimalware'
)
select
  a.vm_id as resource,
  case
    when b.vm_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.vm_id is not null then a.title || ' IaaSAntimalware extension installed.'
    else a.title || ' IaaSAntimalware extension not installed.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_compute_virtual_machine as a
  left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,
  azure_subscription as sub
where
  sub.subscription_id = a.subscription_id;

Control: Deploy default Microsoft IaaSAntimalware extension for Windows Server

Description

Usage

SQL

Tags