diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml index e3762709f..b6dfd18c8 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml @@ -14,6 +14,8 @@ Query: image_id AS resource, region, account_id, + og_account_id, + og_resource_id, tags, _ctx, BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted @@ -25,12 +27,14 @@ Query: region, account_id, tags, - _ctx + _ctx, + og_account_id, + og_resource_id ) SELECT resource, - image_id AS og_account_id, - image_id AS og_resource_id, + og_account_id, + og_resource_id, CASE WHEN all_encrypted THEN 'ok' ELSE 'alarm' diff --git a/compliance/controls/aws/aws_cis_v120_2_9.yaml b/compliance/controls/aws/aws_cis_v120_2_9.yaml index 56364f984..1d64b4250 100644 --- a/compliance/controls/aws/aws_cis_v120_2_9.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_9.yaml @@ -14,6 +14,8 @@ Query: SELECT arn, account_id, + og_resource_id, + og_account_id, region, owner_id, vpc_id, diff --git a/compliance/controls/aws/aws_cis_v130_4_13.yaml b/compliance/controls/aws/aws_cis_v130_4_13.yaml index 26b7ffed0..10c58f607 100644 --- a/compliance/controls/aws/aws_cis_v130_4_13.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_13.yaml @@ -59,12 +59,12 @@ Query: aws_cloudwatch_log_metric_filter AS filter WHERE filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute\s+' - || '\$\.eventName\s*=\s*CreateRouteTable\s+' - || '\$\.eventName\s*=\s*ReplaceRoute\s+' - || '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+' - || '\$\.eventName\s*=\s*DeleteRouteTable\s+' - || '\$\.eventName\s*=\s*DeleteRoute\s+' - || '\$\.eventName\s*=\s*DisassociateRouteTable' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*CreateRouteTable\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRoute\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRouteTable\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRoute\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DisassociateRouteTable' ORDER BY filter_name ), diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml index 37ec5b2a1..8915ef0be 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml @@ -48,7 +48,7 @@ Query: END AS reason FROM aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.intance_arn = i.arn + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; Severity: low Tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml index ac45a201e..c6ae36fa5 100644 --- a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml @@ -11,7 +11,7 @@ Query: PrimaryTable: aws_ssm_managed_instance QueryToExecute: | SELECT - i.id AS resource, + i.instance_id AS resource, i.og_account_id AS og_account_id, i.og_resource_id AS og_resource_id, CASE diff --git a/compliance/controls/azure/azure_cis_v130_1_21.yaml b/compliance/controls/azure/azure_cis_v130_1_21.yaml index 0cb3f1d72..79d8c4fa3 100644 --- a/compliance/controls/azure/azure_cis_v130_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_21.yaml @@ -15,6 +15,8 @@ Query: role_name, role_type, title, + og_account_id, + og_resource_id, action, _ctx, subscription_id @@ -46,6 +48,8 @@ Query: sub.subscription_id = cr.subscription_id GROUP BY cr.subscription_id, + cr.og_account_id, + cr.og_resource_id, cr._ctx, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v130_2_12.yaml b/compliance/controls/azure/azure_cis_v130_2_12.yaml index 3e4ea4a5f..f661903d1 100644 --- a/compliance/controls/azure/azure_cis_v130_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_12.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_policy_assignment - azure_subscription + - azure_policy_assignment Parameters: [] - PrimaryTable: azure_policy_assignment + PrimaryTable: azure_subscription QueryToExecute: | WITH policy_assignment_parameters AS ( SELECT @@ -45,6 +45,8 @@ Query: sub._ctx, sub.subscription_id, pol_assignment.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml index 943b965df..701e2bc77 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml @@ -45,6 +45,8 @@ Query: LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id GROUP BY sub._ctx, + sub.og_account_id, + sub.og_resource_id, sub.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml index d78ed44d0..d39c8943d 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_log_alert - azure_subscription + - azure_log_alert Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -55,6 +55,8 @@ Query: LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id GROUP BY sub._ctx, + sub.og_account_id, + sub.og_resource_id, sub.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml index 73915ba3f..635131228 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml @@ -57,6 +57,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml index 9d96c6384..c3692af7d 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -55,6 +55,8 @@ Query: LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id GROUP BY sub._ctx, + sub.og_account_id, + sub.og_resource_id, sub.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml index 3b24ba9e7..95c59fb12 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_log_alert - azure_subscription + - azure_log_alert Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml index 167873b50..a9fa02e9a 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml index c2c522ce4..58aaf9771 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -55,6 +55,8 @@ Query: LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id GROUP BY sub._ctx, + sub.og_account_id, + sub.og_resource_id, sub.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml index 22b3e3be1..77b043306 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -47,6 +47,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_1_20.yaml b/compliance/controls/azure/azure_cis_v140_1_20.yaml index 7193d171d..14456cc08 100644 --- a/compliance/controls/azure/azure_cis_v140_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_20.yaml @@ -15,13 +15,15 @@ Query: role_name, role_type, title, + og_account_id, + og_resource_id, action, _ctx, subscription_id FROM azure_role_definition, - JSONB_ARRAY_ELEMENTS(permissions) AS s, - JSONB_ARRAY_ELEMENTS_TEXT(s -> 'actions') AS action + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action WHERE role_type = 'CustomRole' AND action IN ('*', '*:*') @@ -46,6 +48,8 @@ Query: sub.subscription_id = cr.subscription_id GROUP BY cr.subscription_id, + cr.og_account_id, + cr.og_resource_id, cr._ctx, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v140_2_12.yaml b/compliance/controls/azure/azure_cis_v140_2_12.yaml index 07e04e070..592ef4238 100644 --- a/compliance/controls/azure/azure_cis_v140_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_12.yaml @@ -8,7 +8,7 @@ Query: - azure_policy_assignment - azure_subscription Parameters: [] - PrimaryTable: azure_policy_assignment + PrimaryTable: azure_subscription QueryToExecute: | WITH policy_assignment_parameters AS ( SELECT @@ -43,6 +43,8 @@ Query: pol_assignment.id, sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, pol_assignment.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml index 334f74639..7318f51ac 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -46,6 +46,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml index 565d1501d..3d97c3636 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml index 204279620..a27762478 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml @@ -5,8 +5,8 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_log_alert - azure_subscription + - azure_log_alert Parameters: [] PrimaryTable: azure_subscription QueryToExecute: | @@ -57,6 +57,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml index 2e30a62ca..336832998 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -54,6 +54,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml index 9b15973bb..1af89c65c 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_log_alert - azure_subscription + - azure_log_alert Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT diff --git a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml index 306cdbc09..3eada20e7 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -55,6 +55,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml index d07533ec1..140b21a06 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml index c051a8dfc..86ece4cec 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -47,6 +47,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_23.yaml b/compliance/controls/azure/azure_cis_v150_1_23.yaml index b7020863e..1ec50aa4e 100644 --- a/compliance/controls/azure/azure_cis_v150_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_23.yaml @@ -13,6 +13,8 @@ Query: WITH owner_custom_roles AS ( SELECT role_name, + og_account_id, + og_resource_id, role_type, title, action, @@ -47,7 +49,9 @@ Query: GROUP BY cr.subscription_id, cr._ctx, - sub.display_name; + sub.display_name, + cr.og_account_id, + cr.og_resource_id; Severity: low Tags: {} Title: 1.23 Ensure That No Custom Subscription Owner Roles Are Created \ No newline at end of file diff --git a/compliance/controls/azure/azure_cis_v150_2_6.yaml b/compliance/controls/azure/azure_cis_v150_2_6.yaml index 3b53bf6da..5c304cab5 100644 --- a/compliance/controls/azure/azure_cis_v150_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_6.yaml @@ -43,6 +43,8 @@ Query: pol_assignment.id, sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, pol_assignment.subscription_id, sub.display_name Severity: low diff --git a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml index f0a7a4c78..a1066a433 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml @@ -52,6 +52,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml index fb1705743..6ecc23cd9 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -46,6 +46,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml index dab11913a..ff657d49c 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml @@ -5,10 +5,10 @@ IntegrationType: Query: Engine: CloudQL-v0.0.1 ListOfTables: - - azure_log_alert - azure_subscription + - azure_log_alert Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml index f031a6347..38597b07b 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -57,6 +57,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml index 3f4cd11d5..f2a8cc611 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml index e0fa4e106..6282633cc 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -56,6 +56,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml index 870a6a693..b630da6fd 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -52,6 +52,8 @@ Query: LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id GROUP BY sub._ctx, + sub.og_account_id, + sub.og_resource_id, sub.subscription_id, sub.display_name; Severity: low diff --git a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml index e93322b40..847e806e0 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml @@ -52,6 +52,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml index 5a4ebd80b..2ed54fd60 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml @@ -8,7 +8,7 @@ Query: - azure_log_alert - azure_subscription Parameters: [] - PrimaryTable: azure_log_alert + PrimaryTable: azure_subscription QueryToExecute: | WITH alert_rule AS ( SELECT @@ -55,6 +55,8 @@ Query: GROUP BY sub._ctx, sub.subscription_id, + sub.og_account_id, + sub.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_23.yaml b/compliance/controls/azure/azure_cis_v200_1_23.yaml index a9cd2aeb5..1cf34af92 100644 --- a/compliance/controls/azure/azure_cis_v200_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_23.yaml @@ -14,6 +14,8 @@ Query: SELECT role_name, role_type, + og_account_id, + og_resource_id, title, action, _ctx, @@ -47,6 +49,8 @@ Query: GROUP BY cr.subscription_id, cr._ctx, + cr.og_account_id, + cr.og_resource_id, sub.display_name; Severity: low Tags: {} diff --git a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml index 904cfe718..ca2e0778c 100644 --- a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml +++ b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml @@ -14,6 +14,8 @@ Query: SELECT role_name, role_type, + og_account_id, + og_resource_id, title, action, _ctx, @@ -48,6 +50,8 @@ Query: GROUP BY cr.subscription_id, cr._ctx, + cr.og_account_id, + cr.og_resource_id, sub.display_name; Severity: low Tags: {}