Query Details
Parsing Wiz Issues
Query
let expected_keys = dynamic([
"SourceSystem",
"TenantId",
"TimeGenerated",
"Type",
"createdAt_t",
"description_s",
"dueAt_t",
"entitySnapshot_cloudPlatform_s",
"entitySnapshot_cloudProviderURL_s",
"entitySnapshot_externalId_g",
"entitySnapshot_externalId_s",
"entitySnapshot_id_g",
"entitySnapshot_name_s",
"entitySnapshot_nativeType_s",
"entitySnapshot_providerId_g",
"entitySnapshot_providerId_s",
"entitySnapshot_region_s",
"entitySnapshot_resourceGroupExternalId_s",
"entitySnapshot_status_s",
"entitySnapshot_subscriptionExternalId_g",
"entitySnapshot_subscriptionExternalId_s",
"entitySnapshot_subscriptionName_s",
"entitySnapshot_type_s",
"id_g",
"notes_s",
"openReason_s",
"projects_s",
"serviceTickets_s",
"severity_s",
"sourceRule___typename_s",
"sourceRule_id_g",
"sourceRule_id_s",
"sourceRule_name_s",
"sourceRule_resolutionRecommendation_s",
"sourceRule_sourceType_s",
"sourceRule_type_s",
"sourceURL_s",
"status_s",
"statusChangedAt_t",
"updatedAt_t"
]);
WizIssues_CL
//| project-away entitySnapshot_tags_*, entitySnapshot_subscriptionTags_*
| project
TimeGenerated,
CreatedAt = createdAt_t,
UpdatedAt = updatedAt_t,
DueAt = dueAt_t,
StatusChangedAt = statusChangedAt_t,
Status = status_s,
Severity = severity_s,
OpenReason = openReason_s,
IssueType = sourceRule___typename_s,
RuleSourceType = sourceRule_sourceType_s,
RuleType = sourceRule_type_s,
RuleId = coalesce(sourceRule_id_g, sourceRule_id_s),
IssueId = id_g,
IssueName = sourceRule_name_s,
Description = description_s,
ResolutionRecommendation = sourceRule_resolutionRecommendation_s,
Projects = projects_s,
ServiceTickets = serviceTickets_s,
Notes = notes_s,
IssueUrl = sourceURL_s,
EntityType = entitySnapshot_type_s,
EntityCloudPlatform = entitySnapshot_cloudPlatform_s,
EntityRegion = entitySnapshot_region_s,
EntitySubscriptionId = coalesce(entitySnapshot_subscriptionExternalId_g, entitySnapshot_subscriptionExternalId_s),
EntitySubscriptionName = entitySnapshot_subscriptionName_s,
EntityResourceGroup = entitySnapshot_resourceGroupExternalId_s,
EntityNativeType = entitySnapshot_nativeType_s,
EntityName = entitySnapshot_name_s,
EntityStatus = entitySnapshot_status_s,
EntityCloudProviderUrl = entitySnapshot_cloudProviderURL_s,
EntityExternalId = coalesce(entitySnapshot_externalId_g, entitySnapshot_externalId_s),
EntityProviderId = coalesce(entitySnapshot_providerId_g, entitySnapshot_providerId_s),
EntityId = entitySnapshot_id_g,
EntityTags = bag_remove_keys(pack_all(true), expected_keys)
Explanation
This query selects specific fields from a dataset called WizIssues_CL and renames them for easier understanding. It also removes unnecessary fields and organizes the data into a more readable format.
Details
Jose Sebastián Canós
Released: April 11, 2024
Tables
WizIssues_CL
Keywords
SourceSystem,TenantId,TimeGenerated,Type,createdAt_t,description_s,dueAt_t,entitySnapshot_cloudPlatform_s,entitySnapshot_cloudProviderURL_s,entitySnapshot_externalId_g,entitySnapshot_externalId_s,entitySnapshot_id_g,entitySnapshot_name_s,entitySnapshot_nativeType_s,entitySnapshot_providerId_g,entitySnapshot_providerId_s,entitySnapshot_region_s,entitySnapshot_resourceGroupExternalId_s,entitySnapshot_status_s,entitySnapshot_subscriptionExternalId_g,entitySnapshot_subscriptionExternalId_s,entitySnapshot_subscriptionName_s,entitySnapshot_type_s,id_g,notes_s,openReason_s,projects_s,serviceTickets_s,severity_s,sourceRule___typename_s,sourceRule_id_g,sourceRule_id_s,sourceRule_name_s,sourceRule_resolutionRecommendation_s,sourceRule_sourceType_s,sourceRule_type_s,sourceURL_s,status_s,statusChangedAt_t,updatedAt_t,WizIssues_CL,IssueType,RuleSourceType,RuleType,RuleId,IssueId,IssueName,Description,ResolutionRecommendation,Projects,ServiceTickets,Notes,IssueUrl,EntityType,EntityCloudPlatform,EntityRegion,EntitySubscriptionId,EntitySubscriptionName,EntityResourceGroup,EntityNativeType,EntityName,EntityStatus,EntityCloudProviderUrl,EntityExternalId,EntityProviderId,EntityId,EntityTags.
Operators
projectcoalescebag_remove_keyspack_all