Query Details
Security Nested Recommendation Endpoint Protection Assessments
Query
let query_period = 120d;
SecurityNestedRecommendation
| where TimeGenerated > ago(query_period) and ParentRecommendationId in ("37a3689a-818e-4a0e-82ac-b1392b9bb000")
| summarize hint.strategy=shuffle
StartSubAssessment = min(SubAssessmentTimeGeneration),
EndSubAssessment = arg_max(SubAssessmentTimeGeneration, *)
by AssessedResourceId, VulnerabilityId
| join hint.remote=local kind=leftouter (
arg("").ResourceContainers
| where type == "microsoft.resources/subscriptions"
| project RecommendationSubscriptionId = subscriptionId, RecommendationSubscriptionName = name
) on RecommendationSubscriptionId
| project
StartSubAssessment,
EndSubAssessment,
Assessment_Age = bin(EndSubAssessment - StartSubAssessment, 1d)/1d,
IsSnapshot,
ParentRecommendationId,
RecommendationState,
Cause,
RecommendationSeverity,
Category,
RecommendationName,
Description,
Impact,
RecommendationSubscriptionId = coalesce(RecommendationSubscriptionName, RecommendationSubscriptionId),
ResourceGroup,
ResourceName = tostring(split(AssessedResourceId, "/")[-1]),
AssessedResourceId,
VulnerabilityId,
ResourceLocation = tostring(coalesce(ResourceDetails["Source"], ResourceDetails["source"]))
Explanation
This query retrieves information about security recommendations for a specific recommendation ID within a given time period. It summarizes the data by the assessed resource ID and vulnerability ID. It also joins the data with information about the recommendation subscription. The final result includes various fields such as the start and end times of the sub-assessment, assessment age, recommendation state, severity, category, and more.
Details
Jose Sebastián Canós
Released: February 2, 2024
Tables
SecurityNestedRecommendationarg("")
Keywords
Devices,Intune,User
Operators
whereandinsummarizehint.strategyminarg_maxbyjoinhint.remotekindleftouterwhereprojectbinIsSnapshotcoalescetostringsplitcoalescetostring