Security Nested Recommendation Linux Virtual Machines Secure Boot Assessments

let query_period = 120d; SecurityNestedRecommendation | where TimeGenerated > ago(query_period) and ParentRecommendationId in ("ad50b498-f90c-451f-886f-d0a169cc5002") | summarize hint.strategy=shuffle StartSubAssessment = min(SubAssessmentTimeGeneration), EndSubAssessment = arg_max(SubAssessmentTimeGeneration, *) by AssessedResourceId, VulnerabilityId | join hint.remote=local kind=leftouter ( arg("").ResourceContainers | where type == "microsoft.resources/subscriptions" | project RecommendationSubscriptionId = subscriptionId, RecommendationSubscriptionName = name ) on RecommendationSubscriptionId | project StartSubAssessment, EndSubAssessment, Assessment_Age = bin(EndSubAssessment - StartSubAssessment, 1d)/1d, IsSnapshot, ParentRecommendationId, RecommendationState, Cause, RecommendationSeverity, Category, RecommendationName, Description, RecommendationSubscriptionId = coalesce(RecommendationSubscriptionName, RecommendationSubscriptionId), ResourceGroup, ResourceName = tostring(split(AssessedResourceId, "/")[-1]), AssessedResourceId, VulnerabilityId, ResourceLocation = tostring(coalesce(ResourceDetails["Source"], ResourceDetails["source"]))

Explanation

This query retrieves information about security recommendations for a specific recommendation ID within a given time period. It summarizes the data by the assessed resource ID and vulnerability ID. It also joins the data with information about the recommendation subscription. The final result includes various fields such as the start and end times of the sub-assessment, assessment age, recommendation state, severity, category, name, description, subscription ID, resource group, resource name, assessed resource ID, vulnerability ID, and resource location.

KQL Search

Security Nested Recommendation Linux Virtual Machines Secure Boot Assessments

Query

Explanation

Details

Actions