Security Nested Recommendation Unprotected Secrets Assessments

let query_period = 120d; SecurityNestedRecommendation | where TimeGenerated > ago(query_period) and ParentRecommendationId in ("17618b1a-ed14-49bb-b37f-9f8ba967be8b") | summarize hint.strategy=shuffle StartSubAssessment = min(SubAssessmentTimeGeneration), EndSubAssessment = arg_max(SubAssessmentTimeGeneration, *) by AssessedResourceId, VulnerabilityId | join hint.remote=local kind=leftouter ( arg("").ResourceContainers | where type == "microsoft.resources/subscriptions" | project RecommendationSubscriptionId = subscriptionId, RecommendationSubscriptionName = name ) on RecommendationSubscriptionId | project StartSubAssessment, EndSubAssessment, Assessment_Age = bin(EndSubAssessment - StartSubAssessment, 1d)/1d, IsSnapshot, ParentRecommendationId, RecommendationState, Cause, RecommendationSeverity, Category, RecommendationName, Description, Impact, RecommendationSubscriptionId = coalesce(RecommendationSubscriptionName, RecommendationSubscriptionId), ResourceGroup, ResourceName = tostring(split(AssessedResourceId, "/")[-1]), AssessedResourceId, VulnerabilityId, ResourceLocation = tostring(coalesce(ResourceDetails["Source"], ResourceDetails["source"]))

Explanation

This query retrieves information about security recommendations for a specific parent recommendation. It filters the results based on a specified time period and then summarizes the data by the assessed resource ID and vulnerability ID. It also joins the results with information about the recommendation subscription. The final result includes various fields such as the start and end times of the sub-assessment, assessment age, recommendation state, severity, category, name, description, impact, subscription ID, resource group, resource name, assessed resource ID, vulnerability ID, and resource location.

KQL Search

Security Nested Recommendation Unprotected Secrets Assessments

Query

Explanation

Details

Actions