Fix control primarytables

compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml

@@ -14,6 +14,8 @@ Query:
         image_id AS resource,
         region,
         account_id,
+        og_account_id,
+        og_resource_id,
         tags,
         _ctx,
         BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted
@@ -25,12 +27,14 @@ Query:
         region,
         account_id,
         tags,
-        _ctx
+        _ctx,
+        og_account_id,
+        og_resource_id
     )
     SELECT
       resource,
-      image_id AS og_account_id,
-      image_id AS og_resource_id,
+      og_account_id,
+      og_resource_id,
       CASE
         WHEN all_encrypted THEN 'ok'
         ELSE 'alarm'

compliance/controls/aws/aws_cis_v120_2_9.yaml

@@ -14,6 +14,8 @@ Query:
       SELECT
         arn,
         account_id,
+        og_resource_id,
+        og_account_id,
         region,
         owner_id,
         vpc_id,

compliance/controls/aws/aws_cis_v130_4_13.yaml

@@ -59,12 +59,12 @@ Query:
         aws_cloudwatch_log_metric_filter AS filter
       WHERE
         filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute\s+'
-        || '\$\.eventName\s*=\s*CreateRouteTable\s+'
-        || '\$\.eventName\s*=\s*ReplaceRoute\s+'
-        || '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+'
-        || '\$\.eventName\s*=\s*DeleteRouteTable\s+'
-        || '\$\.eventName\s*=\s*DeleteRoute\s+'
-        || '\$\.eventName\s*=\s*DisassociateRouteTable'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*CreateRouteTable\s+'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRoute\s+'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRouteTable\s+'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRoute\s+'
+        || filter.filter_pattern ~ '\$\.eventName\s*=\s*DisassociateRouteTable'
       ORDER BY
         filter_name
     ),

compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml

@@ -48,7 +48,7 @@ Query:
       END AS reason
     FROM
       aws_ec2_instance AS i
-      LEFT JOIN iam_roles AS r ON r.intance_arn = i.arn
+      LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn
       LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn;
 Severity: low
 Tags: {}

compliance/controls/aws/aws_foundational_security_ssm_2.yaml

@@ -11,7 +11,7 @@ Query:
   PrimaryTable: aws_ssm_managed_instance
   QueryToExecute: |
     SELECT
-      i.id AS resource,
+      i.instance_id AS resource,
       i.og_account_id AS og_account_id,
       i.og_resource_id AS og_resource_id,
       CASE

compliance/controls/azure/azure_cis_v130_1_21.yaml

@@ -15,6 +15,8 @@ Query:
         role_name,
         role_type,
         title,
+        og_account_id,
+        og_resource_id,
         action,
         _ctx,
         subscription_id
@@ -46,6 +48,8 @@ Query:
       sub.subscription_id = cr.subscription_id
     GROUP BY
       cr.subscription_id,
+      cr.og_account_id,
+      cr.og_resource_id,
       cr._ctx,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v130_2_12.yaml

@@ -5,10 +5,10 @@ IntegrationType:
 Query:
   Engine: CloudQL-v0.0.1
   ListOfTables:
-    - azure_policy_assignment
     - azure_subscription
+    - azure_policy_assignment
   Parameters: []
-  PrimaryTable: azure_policy_assignment
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH policy_assignment_parameters AS (
       SELECT
@@ -45,6 +45,8 @@ Query:
       sub._ctx,
       sub.subscription_id,
       pol_assignment.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v130_5_2_2.yaml

@@ -45,6 +45,8 @@ Query:
     LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id
     GROUP BY
       sub._ctx,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.subscription_id,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v130_5_2_3.yaml

@@ -5,10 +5,10 @@ IntegrationType:
 Query:
   Engine: CloudQL-v0.0.1
   ListOfTables:
-    - azure_log_alert
     - azure_subscription
+    - azure_log_alert
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -55,6 +55,8 @@ Query:
       LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id
     GROUP BY
       sub._ctx,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.subscription_id,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v130_5_2_4.yaml

@@ -57,6 +57,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v130_5_2_5.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -55,6 +55,8 @@ Query:
     LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id
     GROUP BY
       sub._ctx,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.subscription_id,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v130_5_2_6.yaml

@@ -5,10 +5,10 @@ IntegrationType:
 Query:
   Engine: CloudQL-v0.0.1
   ListOfTables:
-    - azure_log_alert
     - azure_subscription
+    - azure_log_alert
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -56,6 +56,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v130_5_2_7.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -56,6 +56,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v130_5_2_8.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -55,6 +55,8 @@ Query:
       LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id
     GROUP BY
       sub._ctx,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.subscription_id,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v130_5_2_9.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -47,6 +47,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_1_20.yaml

@@ -15,13 +15,15 @@ Query:
         role_name,
         role_type,
         title,
+        og_account_id,
+        og_resource_id,
         action,
         _ctx,
         subscription_id
       FROM
         azure_role_definition,
-        JSONB_ARRAY_ELEMENTS(permissions) AS s,
-        JSONB_ARRAY_ELEMENTS_TEXT(s -> 'actions') AS action
+        jsonb_array_elements(permissions) AS s,
+        jsonb_array_elements_text(s -> 'actions') AS action
       WHERE
         role_type = 'CustomRole'
         AND action IN ('*', '*:*')
@@ -46,6 +48,8 @@ Query:
       sub.subscription_id = cr.subscription_id
     GROUP BY
       cr.subscription_id,
+      cr.og_account_id,
+      cr.og_resource_id,
       cr._ctx,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v140_2_12.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_policy_assignment
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_policy_assignment
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH policy_assignment_parameters AS (
       SELECT
@@ -43,6 +43,8 @@ Query:
       pol_assignment.id,
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       pol_assignment.subscription_id,
       sub.display_name;
 Severity: low

compliance/controls/azure/azure_cis_v140_5_2_2.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -46,6 +46,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_5_2_3.yaml

@@ -56,6 +56,8 @@ Query:
     GROUP BY
         sub._ctx,
         sub.subscription_id,
+        sub.og_account_id,
+        sub.og_resource_id,
         sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_5_2_4.yaml

@@ -5,8 +5,8 @@ IntegrationType:
 Query:
   Engine: CloudQL-v0.0.1
   ListOfTables:
-    - azure_log_alert
     - azure_subscription
+    - azure_log_alert
   Parameters: []
   PrimaryTable: azure_subscription
   QueryToExecute: |
@@ -57,6 +57,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_5_2_5.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -54,6 +54,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_5_2_6.yaml

@@ -5,10 +5,10 @@ IntegrationType:
 Query:
   Engine: CloudQL-v0.0.1
   ListOfTables:
-    - azure_log_alert
     - azure_subscription
+    - azure_log_alert
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT

compliance/controls/azure/azure_cis_v140_5_2_7.yaml

@@ -8,7 +8,7 @@ Query:
     - azure_log_alert
     - azure_subscription
   Parameters: []
-  PrimaryTable: azure_log_alert
+  PrimaryTable: azure_subscription
   QueryToExecute: |
     WITH alert_rule AS (
       SELECT
@@ -55,6 +55,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}

compliance/controls/azure/azure_cis_v140_5_2_8.yaml

@@ -56,6 +56,8 @@ Query:
     GROUP BY
       sub._ctx,
       sub.subscription_id,
+      sub.og_account_id,
+      sub.og_resource_id,
       sub.display_name;
 Severity: low
 Tags: {}