Merge pull request #260828 from AsafAlgawi-MSFT/main

v-ccolin · web-flow · commit e6d0921a46c9 · 2023-12-14T11:19:42.000Z
Add support for multicloud data in subassessment
diff --git a/articles/defender-for-cloud/subassessment-rest-api.md b/articles/defender-for-cloud/subassessment-rest-api.md
@@ -12,14 +12,16 @@ ms.topic: how-to
 
 ## Overview
 
-Azure Resource Graph (ARG) provides a REST API that can be used to pragmatically access vulnerability assessment results for both Azure registry and runtime vulnerabilities recommendations.
+Azure Resource Graph (ARG) provides a REST API that can be used to programmatically access vulnerability assessment results for both Azure registry and runtime vulnerabilities recommendations.
 Learn more about [ARG references and query examples](/azure/governance/resource-graph/overview).
 
-Azure container registry vulnerabilities sub-assessments are published to ARG as part of the security resources. Learn more about [security sub-assessments](/azure/governance/resource-graph/samples/samples-by-category?tabs=azure-cli#list-container-registry-vulnerability-assessment-results).
+Azure and AWS container registry vulnerabilities sub-assessments are published to ARG as part of the security resources. Learn more about [security sub-assessments](/azure/governance/resource-graph/samples/samples-by-category?tabs=azure-cli#list-container-registry-vulnerability-assessment-results).
 
 ## ARG query examples
 
-To pull specific sub assessments, you need the assessment key. For Container vulnerability assessment powered by MDVM the key is `c0b7cfc6-3172-465a-b378-53c7ff2cc0d5`. 
+To pull specific sub assessments, you need the assessment key.
+* For Azure container vulnerability assessment powered by MDVM the key is `c0b7cfc6-3172-465a-b378-53c7ff2cc0d5`.
+* For AWS container vulnerability assessment powered by MDVM the key is `c27441ae-775c-45be-8ffa-655de37362ce`.
 
 The following is a generic security sub assessment query example that can be used as an example to build queries with. This query pulls the first sub assessment generated in the last hour.
 ```kql
@@ -30,7 +32,7 @@ securityresources
 | extend timeGenerated = properties.timeGenerated
 | where timeGenerated > ago(1h)
 ```
-### Query result
+### Query result - Azure sub-assessment
 ```json
 [
   {
@@ -163,12 +165,161 @@ securityresources
 ]
 ```
 
+### Query result - AWS sub-assessment
+```json
+[
+  {
+    "id": "/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}/providers/ microsoft.security/ securityconnectors/{SecurityConnectorName}/ securityentitydata/aws-ecr-repository-{RepositoryName}-{Region}/providers/Microsoft.Security/assessments/c27441ae-775c-45be-8ffa-655de37362ce/subassessments/{SubAssessmentId}",
+    "name": "{SubAssessmentId}",
+    "type": "microsoft.security/assessments/subassessments",
+    "tenantId": "{TenantId}",
+    "kind": "",
+    "location": "global",
+    "resourceGroup": "{ResourceGroup}",
+    "subscriptionId": "{SubscriptionId}",
+    "managedBy": "",
+    "sku": null,
+    "plan": null,
+    "properties": {
+      "description": "This vulnerability affects the following vendors: Debian, Fedora, Luatex_Project, Miktex, Oracle, Suse, Tug, Ubuntu. To view more details about this vulnerability please visit the vendor website.",
+      "resourceDetails": {
+          "id": "544047870946.dkr.ecr.us-east-1.amazonaws.com/mc/va/eastus/verybigimage@sha256:87e18285c301bc09b7f2da126992475eb0c536d38272aa0a7066324b7dda3d87",
+          "source": "Aws",
+          "connectorId": "649e5f3a-ea19-4057-88fd-58b1f4b774e2",
+          "region": "us-east-1",
+          "nativeCloudUniqueIdentifier": "arn:aws:ecr:us-east-1:544047870946:image/mc/va/eastus/verybigimage",
+          "resourceProvider": "ecr",
+          "resourceType": "repository",
+          "resourceName": "mc/va/eastus/verybigimage",
+          "hierarchyId": "544047870946"
+      },
+      "additionalData": {
+          "assessedResourceType": "AwsContainerRegistryVulnerability",
+          "cvssV30Score": 7.8,
+          "vulnerabilityDetails": {
+              "severity": "High",
+              "exploitabilityAssessment": {
+                  "exploitStepsPublished": false,
+                  "exploitStepsVerified": false,
+                  "isInExploitKit": false,
+                  "exploitUris": [],
+                  "types": []
+              },
+              "lastModifiedDate": "2023-11-07T00:00:00.0000000Z",
+              "publishedDate": "2023-05-16T00:00:00.0000000Z",
+              "workarounds": [],
+              "weaknesses": {
+                  "cwe": []
+              },
+              "references": [
+                  {
+                      "title": "CVE-2023-32700",
+                      "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32700"
+                  },
+                  {
+                      "title": "CVE-2023-32700_oval:com.oracle.elsa:def:20233661",
+                      "link": "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2"
+                  },
+                  {
+                      "title": "CVE-2023-32700_oval:com.ubuntu.bionic:def:61151000000",
+                      "link": "https://security-metadata.canonical.com/oval/com.ubuntu.bionic.usn.oval.xml.bz2"
+                  },
+                  {
+                      "title": "CVE-2023-32700_oval:org.debian:def:155787957530144107267311766002078821941",
+                      "link": "https://www.debian.org/security/oval/oval-definitions-bullseye.xml"
+                  },
+                  {
+                      "title": "oval:org.opensuse.security:def:202332700",
+                      "link": "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.server.15.xml.gz"
+                  },
+                  {
+                      "title": "texlive-base-20220321-72.fc38",
+                      "link": "https://archives.fedoraproject.org/pub/fedora/linux/updates/38/Everything/x86_64/repodata/c7921a40ea935e92e8cfe8f4f0062fbc3a8b55bc01eaf0e5cfc196d51ebab20d-updateinfo.xml.xz"
+                  }
+              ],
+              "cvss": {
+                  "2.0": null,
+                  "3.0": {
+                      "cvssVectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+                      "base": 7.8
+                  }
+              },
+              "cveId": "CVE-2023-32700",
+              "cpe": {
+                  "language": "*",
+                  "softwareEdition": "*",
+                  "version": "*",
+                  "targetSoftware": "ubuntu_linux_20.04",
+                  "targetHardware": "*",
+                  "vendor": "ubuntu",
+                  "edition": "*",
+                  "product": "libptexenc1",
+                  "update": "*",
+                  "other": "*",
+                  "part": "Applications",
+                  "uri": "cpe:2.3:a:ubuntu:libptexenc1:*:*:*:*:*:ubuntu_linux_20.04:*:*"
+              }
+          },
+          "artifactDetails": {
+              "repositoryName": "mc/va/eastus/verybigimage",
+              "registryHost": "544047870946.dkr.ecr.us-east-1.amazonaws.com",
+              "lastPushedToRegistryUTC": "2022-06-26T13:24:03.0000000Z",
+              "artifactType": "ContainerImage",
+              "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+              "digest": "sha256:87e18285c301bc09b7f2da126992475eb0c536d38272aa0a7066324b7dda3d87",
+              "tags": [
+                  "latest"
+              ]
+          },
+          "softwareDetails": {
+              "fixedVersion": "2019.20190605.51237-3ubuntu0.1",
+              "language": "",
+              "category": "OS",
+              "osDetails": {
+                  "osPlatform": "linux",
+                  "osVersion": "ubuntu_linux_20.04"
+              },
+              "version": "2019.20190605.51237-3build2",
+              "vendor": "ubuntu",
+              "packageName": "libptexenc1",
+              "fixStatus": "FixAvailable",
+              "evidence": [
+                  "dpkg-query -f '${Package}:${Source}:\\n' -W | grep -e ^libptexenc1:.* -e .*:libptexenc1: | cut -f 1 -d ':' | xargs dpkg-query -s",
+                  "dpkg-query -f '${Package}:${Source}:\\n' -W | grep -e ^libptexenc1:.* -e .*:libptexenc1: | cut -f 1 -d ':' | xargs dpkg-query -s"
+              ],
+              "fixReference": {
+                  "description": "USN-6115-1: TeX Live vulnerability 2023 May 30",
+                  "id": "USN-6115-1",
+                  "releaseDate": "2023-05-30T00:00:00.0000000Z",
+                  "url": "https://ubuntu.com/security/notices/USN-6115-1"
+              }
+          }
+      },
+      "timeGenerated": "2023-12-11T13:23:58.4539977Z",
+      "displayName": "CVE-2023-32700",
+      "remediation": "Create new image with updated package libptexenc1 with version 2019.20190605.51237-3ubuntu0.1 or higher.",
+      "status": {
+          "severity": "High",
+          "code": "Unhealthy"
+      },
+      "id": "CVE-2023-32700"
+    },
+    "tags": null,
+    "identity": null,
+    "zones": null,
+    "extendedLocation": null,
+    "assessmentKey": "c27441ae-775c-45be-8ffa-655de37362ce",
+    "timeGenerated": "2023-12-11T13:23:58.4539977Z"
+  }
+]
+```
+
 ## Definitions
 
 | Name                        | Description                                                  |
 | --------------------------- | ------------------------------------------------------------ |
-| AzureResourceDetails        | Details of  the Azure resource that was assessed             |
-| AzureContainerVulnerability | More  context fields for container registry Vulnerability assessment |
+| ResourceDetails             | Details of  the Azure resource that was assessed             |
+| ContainerRegistryVulnerability      | More  context fields for container registry vulnerability assessment |
 | CVE                         | CVE Details                                                  |
 | CVSS                        | CVSS Details                                                 |
 | SecuritySubAssessment       | Security  subassessment on a resource                       |
@@ -183,13 +334,13 @@ securityresources
 | VulnerabilityReference      | Reference  links to vulnerability                            |
 | ExploitabilityAssessment    | Reference  links to an example exploit                       |
 
-### AzureContainerRegistryVulnerability (MDVM)
+### ContainerRegistryVulnerability (MDVM)
 
 Other context fields for Azure container registry vulnerability assessment
 
 | **Name**             | **Type**                                     | **Description**               |
 | -------------------- | -------------------------------------------- | ----------------------------- |
-| assessedResourceType | string:  AzureContainerRegistryVulnerability | Subassessment  resource type |
+| assessedResourceType | string: <br> AzureContainerRegistryVulnerability<br> AwsContainerRegistryVulnerability | Subassessment resource type   |
 | cvssV30Score         | Numeric                                      | CVSS V3 Score                 |
 | vulnerabilityDetails | VulnerabilityDetails                         |                               |
 | artifactDetails      | ArtifactDetails                              |                               |
@@ -202,7 +353,7 @@ Context details for the affected container image
 | **Name**                   | **Type**                | **Description**                      |
 | -------------------------- | ----------------------- | ------------------------------------ |
 | repositoryName             | String                  | Repository  name                     |
-| RepositoryHost             | String                  | Repository  host                     |
+| RegistryHost               | String                  | Registry  host                       |
 | lastPublishedToRegistryUTC | Timestamp               | UTC timestamp  for last publish date |
 | artifactType               | String:  ContainerImage |                                      |
 | mediaType                  | String                  | Layer media type                     |
@@ -314,7 +465,7 @@ Reference links to an example exploit
 | isInExploitKit        | Boolean  | Is part of  the exploit kit                                  |
 | types                 | String   | Exploit  types, for example: NotAvailable, Dos, Local, Remote, WebApps, PrivilegeEscalation |
 
-### AzureResourceDetails
+### ResourceDetails - Azure
 
 Details of the Azure resource that was assessed
 
@@ -323,6 +474,43 @@ Details of the Azure resource that was assessed
 | ID       | string         | Azure resource ID of the assessed resource       |
 | source   | string:  Azure | The platform where the assessed resource resides |
 
+### ResourceDetails - AWS
+
+Details of the AWS resource that was assessed
+
+| **Name**                    | **Type**        | **Description**                                  |
+| --------------------------- | --------------- | ------------------------------------------------ |
+| id                          | string          | Azure resource ID of the assessed resource       |
+| source                      | string: Aws     | The platform where the assessed resource resides |
+| connectorId                 | string          | Connector ID                                     |
+| region                      | string          | Region                                           |
+| nativeCloudUniqueIdentifier | string          | Native Cloud's Resource ID of the Assessed resource in |
+| resourceProvider            | string: ecr     | The assessed resource provider                   |
+| resourceType                | string          | The assessed resource type                       |
+| resourceName                | string          | The assessed resource name                       |
+| hierarchyId                 | string          | Account ID (Aws)                                 |
+
+### SubAssessmentStatus
+
+Status of the sub-assessment
+
+| **Name** | **Type** | **Description**|
+| --------------------------- | --------------- | ------------------------------------------------ |
+| cause | String | 	Programmatic code for the cause of the assessment status |
+| code | SubAssessmentStatusCode | Programmatic code for the status of the assessment
+| description | string | Human readable description of the assessment status |
+| severity | severity | The sub-assessment severity level |
+
+### SubAssessmentStatusCode
+
+Programmatic code for the status of the assessment 
+
+| **Name** | **Type** | **Description**|
+| --------------------------- | --------------- | ------------------------------------------------ |
+| Healthy	| string | The resource is healthy |
+| NotApplicable	| string | Assessment for this resource did not happen |
+| Unhealthy | string | The resource has a security issue that needs to be addressed |
+
 ### SecuritySubAssessment
 
 Security subassessment on a resource
@@ -338,8 +526,8 @@ Security subassessment on a resource
 | properties.id              | string                                                       | Vulnerability ID                                    |
 | properties.impact          | string                                                       | Description of the impact of this subassessment    |
 | properties.remediation     | string                                                       | Information on how to remediate this subassessment |
-| properties.resourceDetails | ResourceDetails:     [AzureResourceDetails](/rest/api/defenderforcloud/sub-assessments/list#azureresourcedetails) | Details of the resource that was assessed           |
-| properties.status          | [SubAssessmentStatus](/rest/api/defenderforcloud/sub-assessments/list#subassessmentstatus) | Status of the subassessment                        |
+| properties.resourceDetails | ResourceDetails: <br> [Azure Resource Details](/azure/defender-for-cloud/subassessment-rest-api#resourcedetails---azure) <br> [AWS Resource Details](/azure/defender-for-cloud/subassessment-rest-api#resourcedetails---aws) | Details of the resource that was assessed           |
+| properties.status          | [SubAssessmentStatus](/azure/defender-for-cloud/subassessment-rest-api#subassessmentstatus) | Status of the subassessment                        |
 | properties.timeGenerated   | string                                                       | The date and time the subassessment was generated  |
 | type                       | string                                                       | Resource type                                       |
 
