Table: azure_security_center_automation - Query Azure Security Center Automations using SQL
Azure Security Center Automations is a feature within Microsoft Azure that allows you to automate responses to security alerts. It provides an automated way to respond to and manage alerts for various Azure resources, including virtual machines, databases, web applications, and more. Azure Security Center Automations helps you stay informed about the security state of your Azure resources and take appropriate actions when predefined conditions are met.
Table Usage Guide
The azure_security_center_automation table provides insights into the automation settings within Azure Security Center. As a security engineer, explore automation-specific details through this table, including the automation name, resource group, and associated metadata. Utilize it to uncover information about your security automations, such as their configurations, intended actions, and the resources they are associated with.
Examples
Basic info
This example showcases how to determine the types and categories of automations within the Azure Security Center. This information can be useful in understanding the range of automated processes in place and their respective functions.
select id, name, type, kindfrom azure_security_center_automation;select id, name, type, kindfrom azure_security_center_automation;List enabled continuously export microsoft defender for cloud data
Determine the areas in which Microsoft Defender for Cloud data is continuously exported and enabled. This can be useful to ensure that your security data is being properly and consistently exported for further analysis and storage.
select id, name, type, is_enabledfrom azure_security_center_automationwhere is_enabled;select id, name, type, is_enabledfrom azure_security_center_automationwhere is_enabled;List event source details for continuously export microsoft defender for cloud data
Determine the areas in which continuous data export from Microsoft Defender for Cloud is occurring. This is useful for understanding your security posture and identifying potential areas of improvement.
select name, type, s ->> 'eventSource' as event_source, r ->> 'operator' as operator, r ->> 'propertyType' as property_type, r ->> 'expectedValue' as expected_value, r ->> 'propertyJPath' as property_jpathfrom azure_security_center_automation, jsonb_array_elements(sources) as s, jsonb_array_elements(s -> 'ruleSets') as rs, jsonb_array_elements(rs -> 'rules') as r;select name, a.type, json_extract(s.value, '$.eventSource') as event_source, json_extract(r.value, '$.operator') as operator, json_extract(r.value, '$.propertyType') as property_type, json_extract(r.value, '$.expectedValue') as expected_value, json_extract(r.value, '$.propertyJPath') as property_jpathfrom azure_security_center_automation as a, json_each(sources) as s, json_each(json_extract(s.value, '$.ruleSets')) as rs, json_each(json_extract(rs.value, '$.rules')) as r;Schema for azure_security_center_automation
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| actions | jsonb | A collection of the actions which are triggered if all the configured rules evaluations, within at least one rule set, are true. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| description | text | The security automation description. | |
| etag | text | Entity tag is used for comparing two or more entities from the same requested resource. | |
| id | text | The resource id. | |
| is_enabled | boolean | Indicates whether the security automation is enabled. | |
| kind | text | Kind of the resource. | |
| name | text | = | The resource name. |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| scopes | jsonb | A collection of scopes on which the security automations logic is applied. Supported scopes are the subscription itself or a resource group under that subscription. The automation will only apply on defined scopes. | |
| sources | jsonb | A collection of the source event types which evaluate the security automation set of rules. | |
| subscription_id | text | The Azure Subscription ID in which the resource is located. | |
| tags | jsonb | A list of key value pairs that describe the resource. | |
| title | text | Title of the resource. | |
| type | text | The type of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_security_center_automation