KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Virtual Machines SQL Vulnerability Assessments

Query

// Alternatively use here: https://portal.azure.com/#view/HubsExtension/ArgQueryBlade
arg("").SecurityResources
| where type =~ "microsoft.security/assessments/subassessments"
| where properties has "SqlVirtualMachineVulnerability" or properties has "SqlServerVulnerability"// or id has "f97aa83c-9b63-4f9a-99f6-b22c4398f936" or id has "82e20e14-edc5-4373-bfc4-f13121257c37"
| extend
    resourceId = tostring(properties["resourceDetails"]["id"]),
    displayName = tostring(properties["displayName"]),
    description = tostring(properties["description"]),
    assessedResourceType = tostring(properties["additionalData"]["assessedResourceType"]),
    type =  tostring(properties["additionalData"]["type"]),
    severity = tostring(properties["status"]["severity"]),
    code = tostring(properties["status"]["code"]),
    category = tostring(properties["category"]),
    impact = tostring(properties["impact"]),
    remediation = tostring(properties["remediation"]),
    id = tostring(properties["id"]),
    scanId = tostring(properties["additionalData"]["scanId"])
| where not(code == "Healthy")
| join hint.remote=local kind=leftouter (
    arg("").ResourceContainers
    | where type == "microsoft.resources/subscriptions"
    | project subscriptionId, subscriptionName = name
    ) on subscriptionId
| sort by assessedResourceType asc, code asc, tenantId asc, subscriptionName asc, resourceId asc, category asc, id asc
| project
    subscriptionName,
    resourceGroup,
    resourceId,
    type,
    assessedResourceType,
    code,
    category,
    displayName,
    description,
    severity,
    remediation,
    impact,
    id,
    scanId

Explanation

This query retrieves security assessment information for SQL virtual machines and SQL servers. It filters the results to include only vulnerabilities related to these resources. It then extends the query to include additional information such as resource ID, display name, description, assessed resource type, severity, code, category, impact, remediation, ID, and scan ID. The query also joins the results with subscription information and sorts the results based on various criteria. Finally, it projects specific columns for the final result set.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 5, 2023

Tables

SecurityResourcesResourceContainers

Keywords

Devices,Intune,User

Operators

argwhereorhasextendtostringnotjoinhint.remotekindprojectonsortascsubscriptionNameresourceGroupresourceIdtypeassessedResourceTypecodecategorydisplayNamedescriptionseverityremediationimpactidscanIdproject

Actions