-
Notifications
You must be signed in to change notification settings - Fork 2
/
mondoo-azure-inventory.mql.yaml
507 lines (442 loc) · 20.2 KB
/
mondoo-azure-inventory.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
packs:
- uid: mondoo-asset-inventory-azure
name: Azure Asset Inventory Pack
version: 1.2.0
license: BUSL-1.1
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: azure,cloud
mondoo.com/category: best-practices
docs:
desc: |
The Azure Asset Inventory by Mondoo query pack retrieves information about Azure subscriptions and resources for asset inventory.
groups:
- uid: mondoo-incident-response-aws-group
title: AWS Asset Inventory Pack Group
filters: asset.runtime == "azure"
queries:
- uid: mondoo-asset-inventory-azure-roleDefinitions
- uid: mondoo-asset-inventory-azure-cloudDefender
- uid: mondoo-asset-inventory-azure-storageAccounts
- uid: mondoo-asset-inventory-azure-storageAccounts-containers
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs
- uid: mondoo-asset-inventory-azure-storageAccounts-tables
- uid: mondoo-asset-inventory-azure-sqlServers
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules
- uid: mondoo-asset-inventory-azure-sqlServers-databases
- uid: mondoo-asset-inventory-azure-postgresql
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules
- uid: mondoo-asset-inventory-azure-mysql
- uid: mondoo-asset-inventory-azure-mysql-firewallrules
- uid: mondoo-asset-inventory-azure-mariaDb
- uid: mondoo-asset-inventory-azure-keyVaults
- uid: mondoo-asset-inventory-azure-keyVaults-keys
- uid: mondoo-asset-inventory-azure-keyVaults-secrets
- uid: mondoo-asset-inventory-azure-keyVaults-certificates
- uid: mondoo-asset-inventory-azure-activitylogs
- uid: mondoo-asset-inventory-azure-networkSecurityGroups
- uid: mondoo-asset-inventory-azure-publicip
- uid: mondoo-asset-inventory-azure-virtualmachines
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk
- uid: mondoo-asset-inventory-azure-webapp
- uid: mondoo-asset-inventory-azure-cosmosDb
- uid: mondoo-asset-inventory-azure-applicationInsight
- uid: mondoo-asset-inventory-azure-networkWatcher
- uid: mondoo-asset-inventory-azure-bastionHosts
- uid: mondoo-asset-inventory-azure-compute-disks
- uid: mondoo-asset-inventory-azure-network-interfaces
- uid: mondoo-asset-inventory-azure-resourcegroups
- uid: mondoo-asset-inventory-azure-resources
queries:
- uid: mondoo-asset-inventory-azure-roleDefinitions
title: Azure role definitions
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all role definitions in the subscription
mql: azure.subscription.authorization.roleDefinitions
- uid: mondoo-asset-inventory-azure-cloudDefender
title: Microsoft Defender for Cloud configuration
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for Microsoft Defender for Cloud
mql: azure.subscription.cloudDefender { defenderForServers defenderForContainers securityContacts { name alertNotifications } }
- uid: mondoo-asset-inventory-azure-storageAccounts
title: Azure Storage accounts
docs:
desc: |
This query retrieves data for all storage accounts
variants:
- uid: mondoo-asset-inventory-azure-storageAccounts-single
- uid: mondoo-asset-inventory-azure-storageAccounts-api
- uid: mondoo-asset-inventory-azure-storageAccounts-single
filters: asset.platform == "azure-storage-account"
mql: azure.subscription.storage.account
- uid: mondoo-asset-inventory-azure-storageAccounts-api
filters: asset.platform == "azure"
mql: azure.subscription.storage.accounts
- uid: mondoo-asset-inventory-azure-storageAccounts-containers
title: Azure Storage account containers
docs:
desc: |
This query retrieves data for all containers in storage accounts
variants:
- uid: mondoo-asset-inventory-azure-storageAccounts-containers-single
- uid: mondoo-asset-inventory-azure-storageAccounts-containers-api
- uid: mondoo-asset-inventory-azure-storageAccounts-containers-api
filters: asset.platform == "azure"
mql: azure.subscription.storage.accounts { containers }
- uid: mondoo-asset-inventory-azure-storageAccounts-containers-single
filters: asset.platform == "azure-storage-account" && azure.subscription.storage.account.containers != empty
mql: azure.subscription.storage.account.containers
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs
title: Azure storage accounts blobs
docs:
desc: |
This query retrieves data for all blobs in storage accounts
variants:
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs-single
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs-api
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs-api
filters: asset.platform == "azure"
mql: azure.subscription.storage.accounts { blobProperties }
- uid: mondoo-asset-inventory-azure-storageAccounts-blobs-single
filters: asset.platform == "azure-storage-account"
mql: azure.subscription.storage.account.blobProperties
- uid: mondoo-asset-inventory-azure-storageAccounts-tables
title: Azure Storage accounts tables
docs:
desc: |
This query retrieves data for all tables in storage accounts
variants:
- uid: mondoo-asset-inventory-azure-storageAccounts-tables-single
- uid: mondoo-asset-inventory-azure-storageAccounts-tables-api
- uid: mondoo-asset-inventory-azure-storageAccounts-tables-api
filters: asset.platform == "azure"
mql: azure.subscription.storage.accounts { tableProperties }
- uid: mondoo-asset-inventory-azure-storageAccounts-tables-single
filters: asset.platform == "azure-storage-account"
mql: azure.subscription.storage.account.tableProperties
- uid: mondoo-asset-inventory-azure-sqlServers
title: Azure SQL Database servers
docs:
desc: |
This query retrieves data for all Azure SQL Database servers
variants:
- uid: mondoo-asset-inventory-azure-sqlServers-single
- uid: mondoo-asset-inventory-azure-sqlServers-api
- uid: mondoo-asset-inventory-azure-sqlServers-api
filters: asset.platform == "azure"
mql: azure.subscription.sql.servers
- uid: mondoo-asset-inventory-azure-sqlServers-single
filters: asset.platform == "azure-sql-server"
mql: azure.subscription.sql.server
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules
title: Azure SQL Database server firewall rules
docs:
desc: |
This query retrieves data for all firewall rules in Azure SQL Database servers
variants:
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-single
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-api
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-api
filters: asset.platform == "azure"
mql: azure.subscription.sql.servers { firewallRules }
- uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-single
filters: asset.platform == "azure-sql-server"
mql: azure.subscription.sql.server.firewallRules
- uid: mondoo-asset-inventory-azure-sqlServers-databases
title: Azure SQL Database server databases
docs:
desc: |
This query retrieves data for all databases in Azure SQL Database servers
variants:
- uid: mondoo-asset-inventory-azure-sqlServers-databases-single
- uid: mondoo-asset-inventory-azure-sqlServers-databases-api
- uid: mondoo-asset-inventory-azure-sqlServers-databases-api
filters: asset.platform == "azure"
mql: azure.subscription.sql.servers { databases }
- uid: mondoo-asset-inventory-azure-sqlServers-databases-single
filters: asset.platform == "azure-sql-server"
mql: azure.subscription.sql.server.databases
- uid: mondoo-asset-inventory-azure-postgresql
title: Azure PostgreSQL servers
docs:
desc: |
This query retrieves data for all PostgreSQL servers
variants:
- uid: mondoo-asset-inventory-azure-postgresql-all
- uid: mondoo-asset-inventory-azure-postgresql-legacy
- uid: mondoo-asset-inventory-azure-postgresql-flexible
- uid: mondoo-asset-inventory-azure-postgresql-all
filters: asset.platform == "azure"
mql: |
azure.subscription.postgreSql.servers
azure.subscription.postgreSql.flexibleServers
- uid: mondoo-asset-inventory-azure-postgresql-legacy
filters: asset.platform == "azure-postgresql-server"
mql: azure.subscription.postgreSql.server
- uid: mondoo-asset-inventory-azure-postgresql-flexible
filters: asset.platform == "azure-postgresql-flexible-server"
mql: azure.subscription.postgreSql.flexibleServer
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules
title: Azure PostgreSQL server firewall rules
docs:
desc: |
This query retrieves data for all firewall rules in Azure PostgreSQL servers
variants:
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-all
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-legacy
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-flexible
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-all
filters: asset.platform == "azure"
mql: |
azure.subscription.postgreSql.servers { firewallRules }
azure.subscription.postgreSql.flexibleServers { firewallRules }
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-legacy
filters: asset.platform == "azure-postgresql-server"
mql: azure.subscription.postgreSql.server.firewallRules
- uid: mondoo-asset-inventory-azure-postgresql-firewallrules-flexible
filters: asset.platform == "azure-postgresql-flexible-server"
mql: azure.subscription.postgreSql.flexibleServer.firewallRules
- uid: mondoo-asset-inventory-azure-mysql-firewallrules
title: Azure MySQL servers
docs:
desc: |
This query retrieves data for all Azure MySQL servers
variants:
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-all
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-legacy
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-flexible
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-all
filters: asset.platform == "azure"
mql: |
azure.subscription.mySql.servers { firewallRules }
azure.subscription.mySql.flexibleServers { firewallRules }
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-legacy
filters: asset.platform == "azure-mysql-server"
mql: azure.subscription.mySql.server.firewallRules
- uid: mondoo-asset-inventory-azure-mysql-firewallrules-flexible
filters: asset.platform == "azure-mysql-flexible-server"
mql: azure.subscription.mySql.flexibleServer.firewallRules
- uid: mondoo-asset-inventory-azure-mysql
title: Azure MySQL servers
docs:
desc: |
This query retrieves data for all Azure MySQL servers
variants:
- uid: mondoo-asset-inventory-azure-mysql-all
- uid: mondoo-asset-inventory-azure-mysql-legacy
- uid: mondoo-asset-inventory-azure-mysql-flexible
- uid: mondoo-asset-inventory-azure-mysql-all
filters: asset.platform == "azure"
mql: |
azure.subscription.mySql.servers
azure.subscription.mySql.flexibleServers
- uid: mondoo-asset-inventory-azure-mysql-legacy
filters: asset.platform == "azure-mysql-server"
mql: azure.subscription.mySql.server
- uid: mondoo-asset-inventory-azure-mysql-flexible
filters: asset.platform == "azure-mysql-flexible-server"
mql: azure.subscription.mySql.flexibleServer
- uid: mondoo-asset-inventory-azure-mariaDb
title: Azure MariaDB servers
docs:
desc: |
This query retrieves data for all Azure MariaDB servers
variants:
- uid: mondoo-asset-inventory-azure-mariaDb-single
- uid: mondoo-asset-inventory-azure-mariaDb-api
- uid: mondoo-asset-inventory-azure-mariaDb-api
filters: asset.platform == "azure"
mql: azure.subscription.mariaDb.servers
- uid: mondoo-asset-inventory-azure-mariaDb-single
filters: asset.platform == "azure-mariadb-server"
mql: azure.subscription.mariaDb.server
- uid: mondoo-asset-inventory-azure-diagnosticSettings
title: Azure diagnostic settings
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all diagnostic settings
mql: azure.subscription.monitor.diagnosticSettings
- uid: mondoo-asset-inventory-azure-keyVaults
title: Azure Key Vault vaults
docs:
desc: |
This query retrieves data for all Azure Key Vault vaults
variants:
- uid: mondoo-asset-inventory-azure-keyVaults-single
- uid: mondoo-asset-inventory-azure-keyVaults-api
- uid: mondoo-asset-inventory-azure-keyVaults-api
filters: asset.platform == "azure"
mql: azure.subscription.keyVault.vaults
- uid: mondoo-asset-inventory-azure-keyVaults-single
filters: asset.platform == "azure-keyvault-vault"
mql: azure.subscription.keyVault.vault
- uid: mondoo-asset-inventory-azure-keyVaults-keys
title: Azure Key Vault vault keys
docs:
desc: |
This query retrieves data for all keys in Key Vaults
variants:
- uid: mondoo-asset-inventory-azure-keyVaults-keys-api
- uid: mondoo-asset-inventory-azure-keyVaults-keys-single
- uid: mondoo-asset-inventory-azure-keyVaults-keys-api
filters: asset.platform == "azure"
mql: azure.subscription.keyVault.vaults { keys }
- uid: mondoo-asset-inventory-azure-keyVaults-keys-single
filters: asset.platform == "azure-keyvault-vault"
mql: azure.subscription.keyVault.vault.keys
- uid: mondoo-asset-inventory-azure-keyVaults-secrets
title: Azure Key Vault vault secrets
docs:
desc: |
This query retrieves data for all secrets in Key Vaults
variants:
- uid: mondoo-asset-inventory-azure-keyVaults-secrets-api
- uid: mondoo-asset-inventory-azure-keyVaults-secrets-single
- uid: mondoo-asset-inventory-azure-keyVaults-secrets-api
filters: asset.platform == "azure"
mql: azure.subscription.keyVault.vaults { secrets }
- uid: mondoo-asset-inventory-azure-keyVaults-secrets-single
filters: asset.platform == "azure-keyvault-vault"
mql: azure.subscription.keyVault.vault.secrets
- uid: mondoo-asset-inventory-azure-keyVaults-certificates
title: Azure Key Vault vault certificates
docs:
desc: |
This query retrieves data for all certificates in Key Vaults
variants:
- uid: mondoo-asset-inventory-azure-keyVaults-certificates-api
- uid: mondoo-asset-inventory-azure-keyVaults-certificates-single
- uid: mondoo-asset-inventory-azure-keyVaults-certificates-api
filters: asset.platform == "azure"
mql: azure.subscription.keyVault.vaults { certificates }
- uid: mondoo-asset-inventory-azure-keyVaults-certificates-single
filters: asset.platform == "azure-keyvault-vault"
mql: azure.subscription.keyVault.vault.certificates
- uid: mondoo-asset-inventory-azure-activitylogs
title: Azure activity logs
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all activity logs
mql: azure.subscription.monitor.activityLog
- uid: mondoo-asset-inventory-azure-networkSecurityGroups
title: Azure network security groups
docs:
desc: |
This query retrieves data for all network security groups
variants:
- uid: mondoo-asset-inventory-azure-networkSecurityGroups-api
- uid: mondoo-asset-inventory-azure-networkSecurityGroups-single
- uid: mondoo-asset-inventory-azure-networkSecurityGroups-api
filters: asset.platform == "azure"
mql: azure.subscription.network.securityGroups
- uid: mondoo-asset-inventory-azure-networkSecurityGroups-single
filters: asset.platform == "azure-network-security-group"
mql: azure.subscription.network.securityGroup
- uid: mondoo-asset-inventory-azure-publicip
title: Azure public IP addresses
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves all public IP addresses in your subscription
mql: azure.subscription.networkService.publicIpAddresses{ name location ipAddress }
- uid: mondoo-asset-inventory-azure-virtualmachines
title: Azure virtual machines
docs:
desc: |
This query retrieves data for all virtual machines
variants:
- uid: mondoo-asset-inventory-azure-virtualmachines-api
- uid: mondoo-asset-inventory-azure-virtualmachines-single
- uid: mondoo-asset-inventory-azure-virtualmachines-api
filters: asset.platform == "azure"
mql: azure.subscription.compute.vms
- uid: mondoo-asset-inventory-azure-virtualmachines-single
filters: asset.platform == "azure-compute-vm-api"
mql: azure.subscription.compute.vm
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk
title: Azure virtual machines with managed disks
docs:
desc: |
This query retrieves data for all virtual machines with managed disks
variants:
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-api
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-single
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-api
filters: asset.platform == "azure"
mql: azure.subscription.compute.vms.where( properties["storageProfile"]["osDisk"]["managedDisk"] != empty )
- uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-single
filters: asset.platform == "azure-compute-vm-api" && azure.subscription.compute.vm.properties["storageProfile"]["osDisk"]["managedDisk"] != empty
mql: azure.subscription.compute.vm.properties["storageProfile"]["osDisk"]["managedDisk"] != empty
- uid: mondoo-asset-inventory-azure-webapp
title: Azure web apps
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all web apps
mql: azure.subscription.web.apps
- uid: mondoo-asset-inventory-azure-cosmosDb
title: Azure Cosmos DB accounts
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all Cosmos DB accounts
mql: azure.subscription.cosmosDb.accounts
- uid: mondoo-asset-inventory-azure-applicationInsight
title: Azure Monitor Application Insights
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all Application Insights
mql: azure.subscription.monitor.applicationInsights
- uid: mondoo-asset-inventory-azure-networkWatcher
title: Azure Network Watchers
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for Azure Network Watchers
mql: azure.subscription.network.watchers
- uid: mondoo-asset-inventory-azure-bastionHosts
title: Azure Bastion hosts
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all Bastion hosts
mql: azure.subscription.network.bastionHosts
- uid: mondoo-asset-inventory-azure-compute-disks
title: Compute disks
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all compute disks available in the subscription
mql: azure.subscription.compute.disks
- uid: mondoo-asset-inventory-azure-network-interfaces
title: Network interfaces
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all network interfaces
mql: azure.subscription.network.interfaces{ name location properties['nicType'] properties['nicType'] properties['macAddress'] properties['virtualMachine']['id'] }
- uid: mondoo-asset-inventory-azure-resourcegroups
title: Azure subscription resource groups
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all resource groups inside the subscription
mql: azure.subscription.resourceGroups
- uid: mondoo-asset-inventory-azure-resources
title: Azure subscription resources
filters: asset.platform == "azure"
docs:
desc: |
This query retrieves data for all resources inside the subscription
mql: azure.subscription.resources