Qualys workbooks do not work after ARG changes. about microsoft-defender-for-cloud HOT 10 CLOSED

Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?

securityresources | where type == "microsoft.security/assessments/subassessments"

What current change in ARG are you referring to?

from microsoft-defender-for-cloud.

Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?

securityresources | where type == "microsoft.security/assessments/subassessments"

What current change in ARG are you referring to?

I can see some result. but they are only coming from the "assessedResourceType": "SqlServerVulnerability". You se nothing from qualys at all.
For example the guide given here do not display any results:
https://techcommunity.microsoft.com/t5/azure-security-center/exporting-vulnerability-assessment-results-in-azure-security/ba-p/1212091

securityresources | where type == "microsoft.security/assessments" | where * contains "vulnerabilities in your virtual machines" | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData

This displayed before.

the change im refering to is this:
https://docs.microsoft.com/en-us/azure/security-center/release-notes#microsoftsecuritysecuritystatuses-table-removed-from-azure-resource-graph-arg

The workbooks only work with sqlassessments now, as your query also get results from.

from microsoft-defender-for-cloud.

Hi @pelsebubb
the Microsoft.Security/securityStatuses table doesn't seem to be used within these workbooks, so it doesn't seem to be related to the change you mention which was back in October 2020. Adding @carlosfar who created the workbook.

from microsoft-defender-for-cloud.

Hi @pelsebubb,

Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.

Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Vulnerabilities in your virtual machines should be remediated"
 | project id, properties.displayName

from microsoft-defender-for-cloud.

Hi @pelsebubb,

Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.

Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Vulnerabilities in your virtual machines should be remediated"
 | project id, properties.displayName

Yes, get results from this query, but it looks like this is searching for the built in policy compliance on the specific targets.
Is this audit policy a requirement for for the built in qualys assessment agent to display results?

Worth mentioning, we have disabled the default ASC and created our own security baseline.

from microsoft-defender-for-cloud.

Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.

from microsoft-defender-for-cloud.

Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.

Hi again. The built in policy Vulnerabilities in your virtual machines should be remediated is a part of our custom initiative. I have tested to assign this policy to our default security center profile also, it still only display SQL. Do you know whats actually publishes the results from qualys into ARG?

from microsoft-defender-for-cloud.

@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works

from microsoft-defender-for-cloud.

@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works

I figured out this now. We needed to have an active assignment on the policy: A vulnerability assessment solution should be enabled on your virtual machines

Without this assignment, data simply was not published to ARG. I find this strange that we need to have an auditpolicy in place in order to get data to ARG. I have a MS supportcase on this talking to PM to validate if this is a bug or not.

from microsoft-defender-for-cloud.

Hi @pelsebubb,
the policy you mentioned is part of the ASC default policy initiative and used to generate the corresponding recommendation in ASC. If that policy is not active, ASC does not show VA findings as nested recommendations. ARG only shows data that ASC will provide. So, if the recommendation in your environment has been disabled, you also won't see the assessment results in ARG.

Closing this issue for now as it is no longer related to the Github artifact, and the root cause will be tracked in your support request.

from microsoft-defender-for-cloud.