Forum Discussion
KQL that shows an Exemptions description and Created by within Exemption policy
We have several exemptions that were initiated by a former employee that we need to evaluate. We have over 4K and some are implemented at the subscription level and others at the resource. I have been able to create a query that shows all exemptions with a Cause "exempt" but I'm unable to find the "Description" and "Created by" columns.
securityresources
| where type == "microsoft.security/assessments"
| extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))
| extend resourceId = trim(' ', tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)))))
| extend status = trim(" ", tostring(properties.status.code))
| extend cause = trim(" ", tostring(properties.status.cause))
| extend assessmentKey = tostring(name)
| where cause == "Exempt"
This query is a work in progress, my hope is to create a similar query that looks like the "Download report" from the Regulatory compliance section. But until I'm able to get the Description and created by, the report is not much of use.
Please advise on the location/table for these missing fields.
Cheers,
4 Replies
- | extend description = trim(" ", tostring(properties.metadata.description))
The "createdby" isn't listed in the api, so it probably comes from another place https://learn.microsoft.com/en-us/rest/api/defenderforcloud/assessments/list?tabs=HTTP- Unfortunately the metadata.description does not provide me with the Exemption description.
from the kql: metadata":{"description":"Enable FTPS enforcement for enhanced security".
This is not what we have for the description. I'll keep digging and hopefully find the right field for both.
Cheers- Lior Arviv
Microsoft
There is still no way to access exemptions data in Azure Resource Graph, only via API, because exemptions are written on Azure Policy, and it currently misses the exemptions part. However, there is a community artifact that generates exemptions reports based on API: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-to-generate-a-microsoft-defender-for-cloud-exemption-and/ba-p/2302899
Hope it helps.
- Thank you for the information. I wonder who could advise on the Created by field. Cheers
