Control: A vulnerability assessment solution should be enabled on your virtual machines
Description
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.compute_vm_vulnerability_assessment_solution_enabled --shareSQL
This control uses a named query:
with defender_enabled_vms as ( select distinct a.vm_id as vm_id from azure_compute_virtual_machine as a, jsonb_array_elements(extensions) as b where b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows']) and b ->> 'ProvisioningState' = 'Succeeded'),agent_installed_vm as ( select distinct a.vm_id as vm_id from defender_enabled_vms as a left join azure_compute_virtual_machine as w on w.vm_id = a.vm_id, jsonb_array_elements(extensions) as b where b ->> 'Publisher' = 'Qualys' and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter']) and b ->> 'ProvisioningState' = 'Succeeded')select a.vm_id as resource, case when b.vm_id is not null then 'ok' else 'alarm' end as status, case when b.vm_id is not null then a.title || ' have vulnerability assessment solution enabled.' else a.title || ' have vulnerability assessment solution disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_virtual_machine as a left join agent_installed_vm as b on a.vm_id = b.vm_id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;