KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Container Registry Image Vulnerability Assessments

Query

// Use here: https://portal.azure.com/#view/HubsExtension/ArgQueryBlade
SecurityResources
| where type =~ "microsoft.security/assessments/subassessments" and id has "providers/Microsoft.ContainerRegistry/registries/"
//| where subscriptionId == ""
| extend
    registryHost = tostring(properties["additionalData"]["registryHost"]),
    repositoryName = tostring(properties["additionalData"]["repositoryName"]),
    imageDigest = tostring(properties["additionalData"]["imageDigest"]),
    imageOs = tostring(properties["additionalData"]["imageDetails"]["os"]),
    imageOsDetails = tostring(properties["additionalData"]["imageDetails"]["osDetails"]),
    assessedResourceType = tostring(properties["additionalData"]["assessedResourceType"]),
    scanner = tostring(properties["additionalData"]["scanner"]),
    timeGenerated = todatetime(properties["timeGenerated"]),
    status = tostring(properties["status"]["code"]),
    patchable = toboolean(properties["additionalData"]["patchable"]),
    assessmentType = tostring(properties["additionalData"]["type"]),
    severity = tostring(properties["status"]["severity"]),
    category = tostring(properties["category"]),
    displayName = tostring(properties["displayName"]),
    description = tostring(properties["description"]),
    impact = tostring(properties["impact"]),
    remediation = tostring(properties["remediation"]),
    cvssv2 = tostring(properties["additionalData"]["cvss"]["2.0"]["base"]),
    cvssv3 = tostring(properties["additionalData"]["cvss"]["3.0"]["base"]),
    resourceId = tostring(properties["resourceDetails"]["id"]),
    assessmentId = toint(properties["id"]),
    cve = properties["additionalData"]["cve"]
| mv-expand cve = iff(array_length(cve) == 0, dynamic([""]), cve)
| extend cve = tostring(cve["title"])
// Some "cve" dynamic objects in "properties" contain repeated CVEs, we need to deduplicate
| summarize arg_max(timeGenerated, location, resourceGroup, repositoryName, imageDigest, imageOs, imageOsDetails, assessedResourceType, displayName, description, impact, remediation)
    by scanner, status, patchable, assessmentType, severity, category, tenantId, subscriptionId, registryHost, resourceId, assessmentId, cvssv2, cvssv3, cve
| summarize
    Scanners = make_set(scanner),
    Vulnerabilities = make_list(pack(
        "CVE", cve,
        "Category", category,
        "DisplayName", displayName,
        //"Description", description,
        //"Impact", impact,
        //"Remediation", remediation,
        "Severity", severity,
        "CVSSv2", cvssv2,
        "CVSSv3", cvssv3,
        "Patchable", patchable,
        "AssessmentId", assessmentId
        )),
    arg_max(timeGenerated, location, resourceGroup, repositoryName, imageDigest, imageOs, imageOsDetails, assessedResourceType)
    by status, assessmentType, tenantId, subscriptionId, registryHost, resourceId
| join kind=leftouter (
    ResourceContainers
    | where type == "microsoft.resources/subscriptions"
    | project subscriptionId, subscriptionName = name
    ) on subscriptionId
| sort by tenantId asc, subscriptionName asc, status asc, resourceId asc
| project
    resourceId,
    tenantId,
    subscriptionId,
    subscriptionName,
    location,
    registryHost,
    resourceGroup,
    repositoryName,
    imageDigest,
    imageOs,
    imageOsDetails,
    assessedResourceType,
    Scanners,
    status,
    assessmentType,
    Vulnerabilities

Explanation

This query retrieves security assessment data for Microsoft Container Registry resources. It extracts various properties such as registry host, repository name, image digest, image OS, assessed resource type, scanner, time generated, status, patchable, assessment type, severity, category, display name, description, impact, remediation, CVSSv2 score, CVSSv3 score, resource ID, assessment ID, and CVEs. It then deduplicates the data based on certain properties and summarizes the results. Finally, it joins the data with the subscription information and sorts the results. The final output includes resource ID, tenant ID, subscription ID, subscription name, location, registry host, resource group, repository name, image digest, image OS, image OS details, assessed resource type, scanners, status, assessment type, and vulnerabilities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 5, 2023

Tables

SecurityResourcesResourceContainers

Keywords

Keywords:SecurityResources,type,id,providers,Microsoft.ContainerRegistry/registries,extend,registryHost,repositoryName,imageDigest,imageOs,imageOsDetails,assessedResourceType,scanner,timeGenerated,status,patchable,assessmentType,severity,category,displayName,description,impact,remediation,cvssv2,cvssv3,resourceId,assessmentId,cve,mv-expand,iff,summarize,arg_max,location,resourceGroup,tenantId,subscriptionId,make_set,make_list,pack,CVE,Category,DisplayName,Severity,CVSSv2,CVSSv3,Patchable,AssessmentId,join,ResourceContainers,project,subscriptionName,sort

Operators

wherehas=~extendtostringtodatetimetobooleantointpropertiesarray_lengthiffmv-expandsummarizearg_maxbymake_setmake_listpackjoinkind=leftouterprojectsortascproject

Actions