Forum Discussion
Solved
Security Recommendation - is it available in any table in KQL query editor
Hi. When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot). So for example, for: CV...
- fixed it.
try this:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName asc
you can add*
*In order
*In order
Hi - sorry, I wasn't clear - it's just not returning the number of results I'd expect. It should be listing 100's of devices, but I'm only seein 1 device listed in all 118 results.
Thanks again, Mark
Thanks again, Mark
- fixed it.
try this:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName ascWorks well. Is there a way we can exclude the devices with onboarding status "can be onboarded" ? Number of devices in the network do read some extra devices and they all get added in the recommendations list. So, trying to exclude those devices. I did bit of modification to the query but not sure if this is correct or not.
DeviceTvmSecureConfigurationAssessment| project DeviceName, ConfigurationId| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId)on ConfigurationId| join kind=inner (DeviceInfo| where OnboardingStatus !contains "can be onboarded" and ExposureLevel contains "high")on DeviceName| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions| sort by DeviceName asc- Hello,
I am very interested in this query.
Hower, it seems that some entries in "DeviceTvmSecureConfigurationAssessment" have "ConfigurationId" values that are not found in the "DeviceTvmSecureConfigurationAssessmentKB" table.
Any idea ?
- Thank you so much - all the best!
