Comments (10)
Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?
securityresources | where type == "microsoft.security/assessments/subassessments"
What current change in ARG are you referring to?
from microsoft-defender-for-cloud.
Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?
securityresources | where type == "microsoft.security/assessments/subassessments"
What current change in ARG are you referring to?
I can see some result. but they are only coming from the "assessedResourceType": "SqlServerVulnerability". You se nothing from qualys at all.
For example the guide given here do not display any results:
https://techcommunity.microsoft.com/t5/azure-security-center/exporting-vulnerability-assessment-results-in-azure-security/ba-p/1212091
securityresources | where type == "microsoft.security/assessments" | where * contains "vulnerabilities in your virtual machines" | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData
This displayed before.
the change im refering to is this:
https://docs.microsoft.com/en-us/azure/security-center/release-notes#microsoftsecuritysecuritystatuses-table-removed-from-azure-resource-graph-arg
The workbooks only work with sqlassessments now, as your query also get results from.
from microsoft-defender-for-cloud.
Hi @pelsebubb
the Microsoft.Security/securityStatuses table doesn't seem to be used within these workbooks, so it doesn't seem to be related to the change you mention which was back in October 2020. Adding @carlosfar who created the workbook.
from microsoft-defender-for-cloud.
Hi @pelsebubb,
Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.
Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?
securityresources
| where type == "microsoft.security/assessments"
| where * contains "Vulnerabilities in your virtual machines should be remediated"
| project id, properties.displayName
from microsoft-defender-for-cloud.
Hi @pelsebubb,
Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.
Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?
securityresources | where type == "microsoft.security/assessments" | where * contains "Vulnerabilities in your virtual machines should be remediated" | project id, properties.displayName
Yes, get results from this query, but it looks like this is searching for the built in policy compliance on the specific targets.
Is this audit policy a requirement for for the built in qualys assessment agent to display results?
Worth mentioning, we have disabled the default ASC and created our own security baseline.
from microsoft-defender-for-cloud.
Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.
from microsoft-defender-for-cloud.
Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.
Hi again. The built in policy Vulnerabilities in your virtual machines should be remediated is a part of our custom initiative. I have tested to assign this policy to our default security center profile also, it still only display SQL. Do you know whats actually publishes the results from qualys into ARG?
from microsoft-defender-for-cloud.
@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works
from microsoft-defender-for-cloud.
@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works
I figured out this now. We needed to have an active assignment on the policy: A vulnerability assessment solution should be enabled on your virtual machines
Without this assignment, data simply was not published to ARG. I find this strange that we need to have an auditpolicy in place in order to get data to ARG. I have a MS supportcase on this talking to PM to validate if this is a bug or not.
from microsoft-defender-for-cloud.
Hi @pelsebubb,
the policy you mentioned is part of the ASC default policy initiative and used to generate the corresponding recommendation in ASC. If that policy is not active, ASC does not show VA findings as nested recommendations. ARG only shows data that ASC will provide. So, if the recommendation in your environment has been disabled, you also won't see the assessment results in ARG.
Closing this issue for now as it is no longer related to the Github artifact, and the root cause will be tracked in your support request.
from microsoft-defender-for-cloud.
Related Issues (20)
- Security Center REST API Endpoint missing
- Reproduce behaviour HOT 1
- Alternative HOT 1
- Permission and Variables HOT 1
- New-ASCVASolution.ps1 Rapid 7 Insight Agent BYOL deployment confusion HOT 2
- Defender for Cloud Environment settings, "Workload protections" views report incorrect resource coverage HOT 1
- this is the official domain for the website and email for teachers and students in the public sector of Kuwait ministry of education: moe.edu.kw
- https://learn.microsoft.com/ar-sa/users/12771345/
- D4Storage-PricingEstimation-Per-Storage.ps1 requires az.Storage HOT 1
- Instructions are outdated and should be updated
- Inconsistent CSV Export Log CSV HOT 1
- Support form link doesn't exist anymore
- Missing Images
- Line 47 provides error of "unexpected token" HOT 1
- Cannot Connect Subscription Based Sentinel Connector for MDC
- ARM Template Issue
- Subscription Not Found (HTTP - Get Azure VM) HOT 2
- ImageScanSummaryAssessmentGate.ps1 no longer finds assessments HOT 2
- CVE Dashboard- old version HOT 2
- Connection Error while accessing Microsoft Defender for Cloud HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft-defender-for-cloud.