Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🧹 Draft: Improve azure cnquery packs #99

Closed
wants to merge 6 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 74 additions & 2 deletions core/mondoo-azure-inventory.mql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,25 @@ packs:
docs:
desc: |
This query retrieves the Azure subscription id
mql: azure.subscription.id
mql: azure.subscription.subscriptionId
- uid: mondoo-asset-inventory-azure-subscription-name
title: Retrieve Azure subscription Name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
title: Retrieve Azure subscription Name
title: Retrieve Azure subscription name

docs:
desc: |
This query retrieves the Azure subscription name
mql: azure.subscription.name
- uid: mondoo-asset-inventory-azure-roleDefinitions
title: Retrieve data for all Azure roleDefinitions
docs:
desc: |
This query retrieves data for all Role definitions in the subscription
mql: azure.subscription.authorization.roleDefinitions
- uid: mondoo-asset-inventory-azure-subscription-policies
title: Retrieve data for all Azure subscription's policies
docs:
desc: |
This query retrieves data for all Policies in the subscription
mql: azure.subscription.subscriptionsPolicies
- uid: mondoo-asset-inventory-azure-cloudDefender
title: Retrieve data for all Azure CloudDefender
docs:
Expand Down Expand Up @@ -60,6 +72,12 @@ packs:
desc: |
This query retrieves data for all tables in storage accounts
mql: azure.subscription.storage.accounts { tableProperties }
- uid: mondoo-asset-inventory-azure-storageAccounts-queues
title: Retrieve data for all queues in Azure storage accounts
docs:
desc: |
This query retrieves data for all queues in storage accounts
mql: azure.subscription.storage.accounts {queueProperties}
- uid: mondoo-asset-inventory-azure-sqlServers
title: Retrieve data for all Azure SQL Database servers
docs:
Expand Down Expand Up @@ -114,6 +132,24 @@ packs:
desc: |
This query retrieves data for all Key Vaults
mql: azure.subscription.keyVault.vaults
- uid: mondoo-asset-inventory-azure-keyVaults-name
title: Retrieve data for all Azure Key Vaults Name
docs:
desc: |
This query retrieves data for all Key Vaults name
mql: azure.subscription.keyVault.vaults { vaultName }
- uid: mondoo-asset-inventory-azure-keyVaults-location
title: Retrieve data for all Azure Key Vaults location
docs:
desc: |
This query retrieves data for all Key Vaults location
mql: azure.subscription.keyVault.vaults { location }
- uid: mondoo-asset-inventory-azure-keyVaults-url
title: Retrieve data for all Azure Key Vaults urls
docs:
desc: |
This query retrieves data for all Key Vaults urls
mql: azure.subscription.keyVault.vaults { vaultUri }
- uid: mondoo-asset-inventory-azure-keyVaults-keys
title: Retrieve data for all Azure Key Vaults keys
docs:
Expand All @@ -126,6 +162,12 @@ packs:
desc: |
This query retrieves data for all secrets in Key Vaults
mql: azure.subscription.keyVault.vaults { secrets }
- uid: mondoo-asset-inventory-azure-keyVaults-accessPolicies
title: Retrieve data for all Azure Key Vaults access policies
docs:
desc: |
This query retrieves data for all access policies of different objects in Key Vaults
mql: azure.subscription.keyVault.vaults { properties["accessPolicies"] }
- uid: mondoo-asset-inventory-azure-keyVaults-certificates
title: Retrieve data for all Azure Key Vaults certificates
docs:
Expand Down Expand Up @@ -204,6 +246,24 @@ packs:
desc: |
This query retrieves data for all network interfaces
mql: azure.subscription.network.interfaces
- uid: mondoo-asset-inventory-azure-network-securityGroup-defaultrules
title: Retrieve data for all default network security group rules
docs:
desc: |
This query retrieves data for all default network security group rules
mql: azure.subscription.network.securityGroups { defaultSecurityRules }
- uid: mondoo-asset-inventory-azure-network-securityGroup-rules
title: Retrieve data for all defined network security group rules
docs:
desc: |
This query retrieves data for all defined network security group rules
mql: azure.subscription.network.securityGroups { securityRules }
- uid: mondoo-asset-inventory-azure-network-securityGroup-rules-info
title: Retrieve detailed data for all defined network security group rules
docs:
desc: |
This query retrieves detailed data for all defined network security group rules
mql: azure.subscription.network.securityGroups { securityRules {properties} }
- uid: mondoo-asset-inventory-azure-resourcegroups
title: Retrieve data for all resource groups inside the subscription
docs:
Expand All @@ -215,4 +275,16 @@ packs:
docs:
desc: |
This query retrieves data for all resources inside the subscription
mql: azure.subscription.resources
mql: azure.subscription.resources
- uid: mondoo-asset-inventory-azure-mfa-users
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to rework this in a data gathering way, not a security way. We could make it "Retrieve all users in the subscription and their MFA status"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, Thanks!

title: Retrieve all users in the subscription and their MFA status
docs:
desc: |
This query Retrieve all users' MFA status in the subscription
mql: microsoft.security.latestSecureScores.controlScores.one( _['controlName'] == 'MFARegistrationV2' && _['score'] == 9)
- uid: mondoo-asset-inventory-azure-activitylogs-alerts
title: Retrieve all activity logs alerts the subscription
docs:
desc: |
This query Retrieve all activity logs alerts in the subscription
mql: azure.subscription.monitor.activityLog.alerts {*}