Control: Windows Defender Exploit Guard should be enabled on your machines
Description
Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.compute_vm_windows_defender_exploit_guard_enabled --shareSQL
This control uses a named query:
with compute_machine as( select id, name, subscription_id, resource_group from azure_compute_virtual_machine, jsonb_array_elements(guest_configuration_assignments) as e where e ->> 'name' = 'WindowsDefenderExploitGuard' and e ->> 'complianceStatus' = 'Compliant')select a.id as resource, case when a.os_type <> 'Windows' then 'skip' when m.id is not null then 'ok' else 'alarm' end as status, case when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.' when m.id is not null then a.name || ' windows defender exploit guard enabled.' else a.name || ' windows defender exploit guard disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_virtual_machine as a left join compute_machine as m on m.id = a.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;