Forum Discussion
Solved
Security Recommendation - is it available in any table in KQL query editor
Hi. When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot). So for example, for: CV...
- fixed it.
try this:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName asc
Hi - sorry, I wasn't clear - it's just not returning the number of results I'd expect. It should be listing 100's of devices, but I'm only seein 1 device listed in all 118 results.
Thanks again, Mark
Thanks again, Mark
fixed it.
try this:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName asc
try this:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName asc
Works well. Is there a way we can exclude the devices with onboarding status "can be onboarded" ? Number of devices in the network do read some extra devices and they all get added in the recommendations list. So, trying to exclude those devices. I did bit of modification to the query but not sure if this is correct or not.
DeviceTvmSecureConfigurationAssessment| project DeviceName, ConfigurationId| join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB| project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId)on ConfigurationId| join kind=inner (DeviceInfo| where OnboardingStatus !contains "can be onboarded" and ExposureLevel contains "high")on DeviceName| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions| sort by DeviceName asc- Hello,
I am very interested in this query.
Hower, it seems that some entries in "DeviceTvmSecureConfigurationAssessment" have "ConfigurationId" values that are not found in the "DeviceTvmSecureConfigurationAssessmentKB" table.
Any idea ?Yeah, I just checked and there about 27 less configuration ID's in DeviceTvmSecureConfigurationAssessmentKB. Not sure if there is any other common field that can be used. May be let's try to understand what you are trying to accomplish and will see if there is any other alternative.
- Hi,
Theoretically, it should work.
I'm just concerned that we will see some duplicate entries because also in "DeviceInfo" a device can appear more than once.- When I tested the query, it did show one device more than once, but for a separate recommendation, which I don't mind as I would like to see all recommendations. Unless someone has a better idea.
- Thank you so much - all the best!
