KQL query for Vulnerability assessments - add OS to query

Question

We have been using one of the resource graph kql queries and wanted to add a project for OS:

securityresources

| where type =~ "microsoft.security/assessments/subassessments"

| extend assessmentKey=extract("providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id)

| where assessmentKey == "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27"

| extend subAssessmentName=tostring(properties.displayName), resourceId = tostring(properties.resourceDetails.id)

| project

os = properties.additionalData.data.OperatingSystem,

resourcedId = properties.resourceDetails.id,

subAssessmentName = properties.displayName,

cve = properties.additionalData.data.CVENumbers,

category = properties.category,

severity = properties.status.severity,

remediation = properties.remediation

timegenerated = properties.timeGenerated

| order by tostring(severity) asc

I added the kql I thought would work but I'm receiving "Query is invalid".

Please advise,

Serge

clive_watson · Answer

You missed the "," from the end of line 13, line 13 should look like this:remediation = properties.remediation,

Forum Discussion