Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qualys workbooks do not work after ARG changes. #300

Closed
Anders-Kristiansen opened this issue Feb 2, 2021 · 10 comments
Closed

Qualys workbooks do not work after ARG changes. #300

Anders-Kristiansen opened this issue Feb 2, 2021 · 10 comments

Comments

@Anders-Kristiansen
Copy link

Anders-Kristiansen commented Feb 2, 2021
edited
Loading

None of the wokbooks https://github.com/Azure/Azure-Security-Center/tree/master/Workbooks/ASCQualysDashboard is working at the moment after ARG was changed.

image
@TomJanetscheck
Copy link
Contributor

Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?

securityresources | where type == "microsoft.security/assessments/subassessments"

What current change in ARG are you referring to?

@Anders-Kristiansen
Copy link
Author

Anders-Kristiansen commented Feb 2, 2021
edited
Loading

Hi there,
the queries used in these workbooks are based on the subassessments resource type in ARG. Do you see any results if you run the following query in Azure Resource Graph Explorer?

securityresources | where type == "microsoft.security/assessments/subassessments"

What current change in ARG are you referring to?

I can see some result. but they are only coming from the "assessedResourceType": "SqlServerVulnerability". You se nothing from qualys at all.
For example the guide given here do not display any results:
https://techcommunity.microsoft.com/t5/azure-security-center/exporting-vulnerability-assessment-results-in-azure-security/ba-p/1212091

securityresources | where type == "microsoft.security/assessments" | where * contains "vulnerabilities in your virtual machines" | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData

This displayed before.

the change im refering to is this:
https://docs.microsoft.com/en-us/azure/security-center/release-notes#microsoftsecuritysecuritystatuses-table-removed-from-azure-resource-graph-arg

The workbooks only work with sqlassessments now, as your query also get results from.

@TomJanetscheck
Copy link
Contributor

Hi @pelsebubb
the Microsoft.Security/securityStatuses table doesn't seem to be used within these workbooks, so it doesn't seem to be related to the change you mention which was back in October 2020. Adding @carlosfar who created the workbook.

@carlosfar
Copy link
Contributor

Hi @pelsebubb,

Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.

Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Vulnerabilities in your virtual machines should be remediated"
 | project id, properties.displayName

@Anders-Kristiansen
Copy link
Author

Anders-Kristiansen commented Feb 5, 2021
edited
Loading

Hi @pelsebubb,

Indeed, the workbook do not use the Microsoft.Security/securityStatuses table. The workbook uses the Microsoft.security/assessments and Microsoft.security/assessments/subassessments tables to get results.

Do you see any results if you try to query the top level Qualys recommendation for VMs (please make sure you select the correct subscription in ARG Explorer)?

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Vulnerabilities in your virtual machines should be remediated"
 | project id, properties.displayName

Yes, get results from this query, but it looks like this is searching for the built in policy compliance on the specific targets.
Is this audit policy a requirement for for the built in qualys assessment agent to display results?

Worth mentioning, we have disabled the default ASC and created our own security baseline.

image

@carlosfar
Copy link
Contributor

Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.

@Anders-Kristiansen
Copy link
Author

Hi @pelsebubb, indeed, the built-in policy "Vulnerabilities in your virtual machines should be remediated" is used by ASC to get results from the Qualys VA scanner. This policy is also used in the workbooks we have published in the github community.

Hi again. The built in policy Vulnerabilities in your virtual machines should be remediated is a part of our custom initiative. I have tested to assign this policy to our default security center profile also, it still only display SQL. Do you know whats actually publishes the results from qualys into ARG?

@carlosfar
Copy link
Contributor

@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works

@Anders-Kristiansen
Copy link
Author

@pelsebubb, did you install the Qualys extension in your VMs? Please make sure they are properly communicating. More info: https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm#how-the-integrated-vulnerability-scanner-works

I figured out this now. We needed to have an active assignment on the policy: A vulnerability assessment solution should be enabled on your virtual machines

Without this assignment, data simply was not published to ARG. I find this strange that we need to have an auditpolicy in place in order to get data to ARG. I have a MS supportcase on this talking to PM to validate if this is a bug or not.

@TomJanetscheck
Copy link
Contributor

Hi @pelsebubb,
the policy you mentioned is part of the ASC default policy initiative and used to generate the corresponding recommendation in ASC. If that policy is not active, ASC does not show VA findings as nested recommendations. ARG only shows data that ASC will provide. So, if the recommendation in your environment has been disabled, you also won't see the assessment results in ARG.

Closing this issue for now as it is no longer related to the Github artifact, and the root cause will be tracked in your support request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Anders-Kristiansen @TomJanetscheck @carlosfar