turbot/azure_insights

Query: compute_virtual_machine_vulnerability_assessment_solution

Usage

powerpipe query azure_insights.query.compute_virtual_machine_vulnerability_assessment_solution

SQL

with defender_enabled_vms as (
select
distinct a.vm_id as vm_id
from
azure_compute_virtual_machine as a,
jsonb_array_elements(extensions) as b
where
b ->> 'ExtensionType' = any(ARRAY [ 'MDE.Linux', 'MDE.Windows' ])
and b ->> 'ProvisioningState' = 'Succeeded'
),
agent_installed_vm as (
select
distinct a.vm_id as vm_id
from
defender_enabled_vms as a
left join azure_compute_virtual_machine as w on lower(w.vm_id) = lower(a.vm_id),
jsonb_array_elements(extensions) as b
where
b ->> 'Publisher' = 'Qualys'
and b ->> 'ExtensionType' = any(
ARRAY [ 'WindowsAgent.AzureSecurityCenter',
'LinuxAgent.AzureSecurityCenter' ]
)
and b ->> 'ProvisioningState' = 'Succeeded'
)
select
'Vulnerability Assessment' as label,
case
when b.vm_id is not null then 'Enabled'
else 'Disabled'
end as value,
case
when b.vm_id is not null then 'ok'
else 'alert'
end as type
from
azure_compute_virtual_machine as a
left join agent_installed_vm as b on lower(a.vm_id) = lower(b.vm_id)
where
lower(id) = $1;

Dashboards

The query is used in the dashboards: