SOLVED

How to list all resources covered/not covered by Azure Defender using REST API ?

%3CLINGO-SUB%20id%3D%22lingo-sub-2595878%22%20slang%3D%22en-US%22%3EHow%20to%20list%20all%20resources%20covered%2Fnot%20covered%20by%20Azure%20Defender%20using%20REST%20API%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595878%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20want%20to%20display%20Defender%20coverage%20in%20custom%20application%20like%20following%20image%3A%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Anil_Guliyaan_0-1627624999247.png%22%20style%3D%22width%3A%20539px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299498iDEFF9625F69F6357%2Fimage-dimensions%2F539x163%3Fv%3Dv2%22%20width%3D%22539%22%20height%3D%22163%22%20role%3D%22button%22%20title%3D%22Anil_Guliyaan_0-1627624999247.png%22%20alt%3D%22Anil_Guliyaan_0-1627624999247.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EPlease%20help%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596278%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20list%20all%20resources%20covered%2Fnot%20covered%20by%20Azure%20Defender%20using%20REST%20API%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1115615%22%20target%3D%22_blank%22%3E%40Anil_Guliyaan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20a%20query%20from%20the%20%22Inventory%20Blade%22%20in%20ASC%2C%20you%20can%20amend%20it%20(I%20made%20a%20start%20below%20on%20a%20recent%20project).%26nbsp%3B%20This%20is%20using%20ARG%20rather%20than%20the%20REST%20api%20directly.%26nbsp%3B%20You%20should%20be%20able%20to%20see%20the%20api%20info%20if%20you%20need%20to%20use%20that.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Esecurityresources%0A%2F%2F%7C%20where%20subscriptionId%20%3D%3D%20%22%26lt%3B%20insert%20you%20id%20here%20%26gt%3B%22%0A%7C%20where%20type%20%3D~%20%22microsoft.security%2Fassessments%22%20or%20type%20%3D~%20%22microsoft.security%2FsoftwareInventories%22%0A%7C%20extend%20assessmentStatusCode%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20tostring(properties.status.code)%2C%20%22%22)%0A%7C%20extend%20severity%20%3D%20case(assessmentStatusCode%20%3D~%20%22unhealthy%22%2C%20tolower(tostring(properties.metadata.severity))%2C%20tolower(assessmentStatusCode))%0A%7C%20extend%20exemptionType%20%3D%20case(tolower(type)%20!%3D%20%22microsoft.security%2Fassessments%22%2C%22N%2FA%22%2C%20case(properties.status.cause%20%3D~%20%22exempt%22%2C%20%22Yes%22%2C%20%22No%22))%0A%7C%20extend%20source%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20tostring(properties.resourceDetails.Source)%2C%20%22%22)%0A%7C%20extend%20resourceId%20%3D%20trim(%22%20%22%2C%20tolower(tostring(case(source%20%3D~%20%22azure%22%2C%20properties.resourceDetails.Id%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22aws%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22gcp%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20extract(%22%5E(.%2B)%2Fproviders%2FMicrosoft.Security%2Fassessments%2F.%2B%24%22%2C1%2Cid)%2Cextract(%22%5E(.%2B)%2Fproviders%2FMicrosoft.Security%2FsoftwareInventories%2F.%2B%24%22%2C1%2Cid)))))%0A%7C%20extend%20resourceName%20%3D%20extract(%40%22(.%2B)%2F(.%2B)%22%2C%202%2C%20resourceId)%0A%7C%20extend%20regexResourceId%20%3D%20extract_all(%40%22%2Fproviders%2F(%5B%5E%2F%5D%2B)(%3F%3A%2F(%5B%5E%2F%5D%2B)%2F%5B%5E%2F%5D%2B(%3F%3A%2F(%5B%5E%2F%5D%2B)%2F%5B%5E%2F%5D%2B)%3F)%3F%2F(%5B%5E%2F%5D%2B)%2F%5B%5E%2F%5D%2B%24%22%2C%20resourceId)%0A%7C%20extend%20RegexResourceType%20%3D%20regexResourceId%5B0%5D%0A%7C%20extend%20mainType%20%3D%20RegexResourceType%5B1%5D%2C%20extendedType%20%3D%20RegexResourceType%5B2%5D%2C%20resourceType%20%3D%20RegexResourceType%5B3%5D%0A%7C%20extend%20providerName%20%3D%20RegexResourceType%5B0%5D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20mainType%20%3D%20case(mainType%20!~%20%22%22%2C%20strcat(%22%2F%22%2CmainType)%2C%20%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20extendedType%20%3D%20case(extendedType!~%20%22%22%2C%20strcat(%22%2F%22%2CextendedType)%2C%20%22%22)%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20resourceType%20%3D%20case(resourceType!~%20%22%22%2C%20strcat(%22%2F%22%2CresourceType)%2C%20%22%22)%0A%7C%20extend%20array%20%3D%20split(resourceId%2C%20'%2F')%0A%7C%20extend%20typeFullPath%20%3D%20case(array_length(array)%20%3D%3D%203%2C%20%20'subscription'%2C%20strcat(providerName%2C%20mainType%2C%20extendedType%2C%20resourceType))%0A%7C%20extend%20typeFullPath%20%3D%20case(array_length(array)%20%3D%3D%205%2C%20'resourcegroups'%2C%20typeFullPath)%0A%7C%20extend%20resourceType%20%3D%20case(typeFullPath%20%3D~%20'resourcegroups'%20or%20typeFullPath%20%3D~%20'subscription'%2C%20typeFullPath%2C%20tolower(trim(%22%2F%22%2C%20resourceType)))%0A%7C%20extend%20assessmentKey%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20tostring(name)%2C%20%22%22)%0A%7C%20extend%20softwareVendorName%20%3D%20case(type%20%3D~%20%22microsoft.security%2FsoftwareInventories%22%2C%20tostring(properties.vendor)%2C%20%22%22)%0A%7C%20extend%20softwareName%20%3D%20case(type%20%3D~%20%22microsoft.security%2FsoftwareInventories%22%2C%20tostring(properties.softwareName)%2C%20%22%22)%0A%7C%20extend%20softwareNameIdentifier%20%3D%20case(type%20%3D~%20%22microsoft.security%2FsoftwareInventories%22%2C%20strcat(softwareVendorName%2C%20%22%2C%22%2C%20softwareName)%2C%20%22%22)%0A%7C%20extend%20environment%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20properties.resourceDetails%5B%22Source%22%5D%2C%20%22%22)%0A%7C%20extend%20environment%20%3D%20case(environment%20%3D~%20%22onpremise%22%2C%20tolower(%22Non-Azure%22)%2C%20tolower(environment))%0A%7C%20extend%20osTypeProperty%20%3D%20properties.additionalData%5B%22OS%20Type%22%5D%0A%7C%20extend%20osType%20%3D%20case(isnotempty(osTypeProperty)%2C%20osTypeProperty%2C%20%22%22)%0A%7C%20extend%20hasAgent%20%3D%20case(assessmentKey%20%3D%3D%20%22d1db3318-01ff-16de-29eb-28b344515626%22%20or%20assessmentKey%20%3D%3D%20%2245cfe080-ceb1-a91e-9743-71551ed24e94%22%20or%20assessmentKey%20%3D%3D%20%22720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1%22%20or%20assessmentKey%20%3D%3D%20%2227ac71b1-75c5-41c2-adc2-858f5db45b08%22%2C%20assessmentStatusCode%2C%20%22%22)%0A%7C%20extend%20workspaceAzureResourceId%20%3D%20case(hasAgent%20!~%20%22%22%2C%20properties.additionalData%5B%22Reporting%20workspace%20azure%20id%22%5D%2C%20%22%22)%0A%7C%20extend%20workspaceName%20%3D%20case(workspaceAzureResourceId%20!~%20%22%22%2C%20extract(%40%22(.%2B)%2F(.%2B)%22%2C%202%2C%20workspaceAzureResourceId)%2C%20%22%22)%0A%7C%20extend%20assessmentDisplayName%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20case(isnotempty(properties.displayName)%2C%20properties.displayName%2C%20properties.metadata.displayName)%2C%20%22%22)%0A%7C%20extend%20assessmentIdentifier%20%3D%20case(type%20%3D~%20%22microsoft.security%2Fassessments%22%2C%20strcat(assessmentKey%2C%20%22%2C%22%20%2C%20assessmentDisplayName%2C%20%22%2C%22%2C%20severity)%2C%20%22%22)%0A%7C%20summarize%20assessmentsCount%20%3D%20count()%20%2C%20assessmentsIdentifier%20%3D%20make_list(assessmentIdentifier)%2C%20softwareNamesIdentifier%20%3D%20make_list(softwareNameIdentifier)%2C%20hasAgent%20%3D%20max(hasAgent)%2C%20workspaceName%20%3D%20max(workspaceName)%2C%20environment%20%3D%20max(environment)%2C%20osType%20%3D%20max(osType)%2C%20exemptionType%20%3D%20max(exemptionType)%20%20by%20resourceId%2C%20subscriptionId%2C%20resourceName%2C%20resourceType%2C%20typeFullPath%2C%20severity%0A%7C%20extend%20packAssessments%20%3D%20pack(severity%2C%20assessmentsCount)%0A%7C%20summarize%20assessmentsSummary%20%3D%20make_bag(packAssessments)%2C%20assessmentsIdentifier%20%3D%20make_set(assessmentsIdentifier)%2C%20softwareNamesIdentifier%20%3D%20make_set(softwareNamesIdentifier)%2C%20hasAgent%20%3D%20max(hasAgent)%2C%20workspaceName%3D%20max(workspaceName)%2C%20environment%20%3D%20max(environment)%2C%20osType%3D%20max(osType)%2C%20exemptionType%20%3D%20max(exemptionType)%20%20by%20resourceId%2C%20subscriptionId%2C%20resourceName%2C%20resourceType%2C%20typeFullPath%0A%7C%20extend%20agentMonitoring%20%3D%20case(hasAgent%20%3D~%20%22NotApplicable%22%20or%20hasAgent%20%3D~%20%22%22%2C%20''%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20hasAgent%20%3D~%20%22Unhealthy%22%2C%20%22notInstalled%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22installed%22)%0A%7C%20join%20kind%3Dleftouter%20(%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20securityresources%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D~%20%22microsoft.security%2Fpricings%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%20project%20subscriptionId%2C%20bundleName%20%3D%20tolower(name)%2C%20freeTrialRemainingTime%20%3D%20properties.freeTrialRemainingTime%2C%20pricingTier%20%3D%20tolower(properties.pricingTier)%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20bundlesPricing%20%3D%20pack(bundleName%2C%20pricingTier)%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7C%20summarize%20subscriptionPricing%20%3D%20make_bag(bundlesPricing)%20by%20subscriptionId%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20)%20on%20subscriptionId%0A%7C%20extend%20hasNoSoftwareData%20%3D%20case(array_length(softwareNamesIdentifier)%20%3D%3D%201%2C%20case(set_has_element(softwareNamesIdentifier%2C%20%22%22)%2C%20true%2C%20false)%2C%20false)%0A%7C%20extend%20softwareNamesIdentifier%20%3D%20case(hasNoSoftwareData%2C%20softwareNamesIdentifier%2C%20set_difference(softwareNamesIdentifier%2C%20pack_array(%22%22)))%0A%7C%20extend%20AssessmentsHigh%20%3D%20case(isnull(assessmentsSummary.high)%2C%200%20%2C%20toint(assessmentsSummary.high))%0A%7C%20extend%20AssessmentsMedium%20%3D%20case(isnull(assessmentsSummary.medium)%2C%200%20%2C%20toint(assessmentsSummary.medium))%0A%7C%20extend%20AssessmentsLow%20%3D%20case(isnull(assessmentsSummary.low)%2C%200%20%2C%20toint(assessmentsSummary.low))%0A%7C%20extend%20unhealthyAssessmentsCount%20%3D%20AssessmentsHigh%20%2B%20AssessmentsMedium%20%2B%20AssessmentsLow%0A%7C%20extend%20virtualmachines%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.virtualmachines)%0A%7C%20extend%20virtualmachines%20%3D%20case(virtualmachines%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20sqlservers%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.sqlservers)%0A%7C%20extend%20sqlservers%20%3D%20case(sqlservers%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20kubernetesservice%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.kubernetesservice)%0A%7C%20extend%20kubernetesservice%20%3D%20case(kubernetesservice%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20containerregistry%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.containerregistry)%0A%7C%20extend%20containerregistry%20%3D%20case(containerregistry%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20connectedcontainerregistry%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.connectedcontainerregistry)%0A%7C%20extend%20connectedcontainerregistry%20%3D%20case(connectedcontainerregistry%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20sqlservervirtualmachines%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.sqlservervirtualmachines)%0A%7C%20extend%20sqlservervirtualmachines%20%3D%20case(sqlservervirtualmachines%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20appservices%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.appservices)%0A%7C%20extend%20appservices%20%3D%20case(appservices%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20storageaccounts%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.storageaccounts)%0A%7C%20extend%20storageaccounts%20%3D%20case(storageaccounts%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20keyvaults%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.keyvaults)%0A%7C%20extend%20keyvaults%20%3D%20case(keyvaults%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20opensourcerelationaldatabases%20%3D%20case(isnull(subscriptionPricing)%2C%20''%20%2C%20subscriptionPricing.opensourcerelationaldatabases)%0A%7C%20extend%20opensourcerelationaldatabases%20%3D%20case(opensourcerelationaldatabases%20%3D%3D%20'free'%2C%20'off'%2C%20'on')%0A%7C%20extend%20calculatedSubscriptionPricing%20%3D%20case(resourceType%20%3D~%20%22subscription%22%20and%20isempty(subscriptionPricing)%20%3D%3D%20false%20%2C%20iff(subscriptionPricing%20has%20%22free%22%20and%20subscriptionPricing%20has%20%22standard%22%2C%20%22partial%22%2C%20iff(subscriptionPricing%20has%20%22free%22%2C%20%22off%22%2C%20%22on%22))%2C%20%22%22)%0A%7C%20extend%20resourcePricing%20%3D%20case(typeFullPath%20%3D~%20%22microsoft.classiccompute%2Fvirtualmachines%22%2C%20virtualmachines%2C%20typeFullPath%20%3D~%20%22microsoft.compute%2Fvirtualmachines%22%2C%20virtualmachines%2C%20typeFullPath%20%3D~%20%22microsoft.hybridcompute%2Fmachines%22%2C%20virtualmachines%2C%20typeFullPath%20%3D~%20%22microsoft.sql%2Fservers%22%2C%20sqlservers%2C%20typeFullPath%20%3D~%20%22microsoft.containerservice%2Fmanagedclusters%22%2C%20kubernetesservice%2C%20typeFullPath%20%3D~%20%22microsoft.kubernetes%2Fconnectedclusters%22%2C%20kubernetesservice%2C%20typeFullPath%20%3D~%20%22microsoft.containerregistry%2Fregistries%22%2C%20containerregistry%2C%20typeFullPath%20%3D~%20%22microsoft.security%2Fconnectedcontainerregistries%22%2C%20connectedcontainerregistry%2C%20typeFullPath%20%3D~%20%22microsoft.sqlvirtualmachine%2Fsqlvirtualmachines%22%2C%20sqlservervirtualmachines%2C%20typeFullPath%20%3D~%20%22microsoft.web%2Fsites%22%2C%20appservices%2C%20typeFullPath%20%3D~%20%22microsoft.storage%2Fstorageaccounts%22%2C%20storageaccounts%2C%20typeFullPath%20%3D~%20%22microsoft.compute%2Fvirtualmachinescalesets%22%2C%20virtualmachines%2C%20typeFullPath%20%3D~%20%22microsoft.keyvault%2Fvaults%22%2C%20keyvaults%2C%20typeFullPath%20%3D~%20%22microsoft.dbforpostgresql%2Fservers%22%2C%20opensourcerelationaldatabases%2C%20typeFullPath%20%3D~%20%22microsoft.dbformysql%2Fservers%22%2C%20opensourcerelationaldatabases%2C%20typeFullPath%20%3D~%20%22microsoft.dbformariadb%2Fservers%22%2C%20opensourcerelationaldatabases%2C%20calculatedSubscriptionPricing)%0A%7C%20extend%20pricing%20%3D%20case(resourceType%20%3D~%20%22subscription%22%20%2C%20calculatedSubscriptionPricing%20%2C%20resourcePricing)%0A%7C%20project%20resourceType%2C%20exemptionType%2C%20typeFullPath%2C%20resourceId%2C%20resourceName%2C%20subscriptionId%2C%20environment%2C%20osType%2C%20workspaceName%2C%20agentMonitoring%2C%20assessmentsIdentifier%2C%20assessmentsSummary%2C%20subscriptionPricing%2C%20unhealthyAssessmentsCount%2C%20pricing%2C%20softwareNamesIdentifier%0A%7C%20extend%20resourceGroup%20%3D%20tolower(tostring(split(resourceId%2C%20%22%2F%22)%5B4%5D))%0A%7C%20order%20by%20unhealthyAssessmentsCount%2C%20subscriptionId%2C%20resourceType%2C%20resourceId%0A%7C%20where%20isnotempty(resourceId)%0A%7C%20extend%20resourceType%20%3D%20iff(resourceType%20%3D%3D%20'servers'%2C'SQL%20Server'%2CresourceType)%0A%7C%20extend%20resourceType%20%3D%20iff(resourceType%20%3D%3D%20'machines'%2C'Hybrid%20Server'%2CresourceType)%0A%7C%20summarize%20on_%3Dcountif(pricing%20%3D%3D%20%22on%22)%2C%20off_%3Dcountif(isempty(pricing))%2C%20part_%3Dcountif(pricing%20%3D%3D%20%22partial%22)%20by%20resourceType%20%7C%20order%20by%20on_%20desc%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-07-30%20162029.png%22%20style%3D%22width%3A%20672px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299550i44E09E3DBF4449F4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-07-30%20162029.png%22%20alt%3D%22Screenshot%202021-07-30%20162029.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2609727%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20list%20all%20resources%20covered%2Fnot%20covered%20by%20Azure%20Defender%20using%20REST%20API%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2609727%22%20slang%3D%22en-US%22%3ECan%20we%20use%20ARG%20query%20in%20REST%20API%20calls%3F%20any%20help%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2610955%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20list%20all%20resources%20covered%2Fnot%20covered%20by%20Azure%20Defender%20using%20REST%20API%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2610955%22%20slang%3D%22en-US%22%3EARG%20is%20using%20the%20REST%20Api%20(under%20the%20covers)%2C%20but%20you%20are%20using%20KQL%20in%20Azure%20Resource%20Graph(ARG).%20If%20you%20want%20to%20use%20the%20REST%20Api%2C%20you%20need%20to%20use%20a%20tools%20like%20Postman%20or%20even%20a%20Azure%20Monitor%20Workbook%20that%20can%20run%20KQL%2C%20ARG%20and%20ARM%20(for%20REST%20api%20queries).%20ARG%20supports%20a%20subset%20of%20the%20full%20REST%20api%20in%20Azure%2C%20so%20you%20may%20be%20able%20to%20get%20the%20data%20you%20need%20with%20ARG%20or%20maybe%20need%20to%20use%20ARG%20and%20api%20calls.%3C%2FLINGO-BODY%3E
New Contributor

I want to display Defender coverage in custom application like following image::

 

Anil_Guliyaan_0-1627624999247.png

Please help?

4 Replies
best response confirmed by Anil_Guliyaan (New Contributor)
Solution

@Anil_Guliyaan 

 

There is a query from the "Inventory Blade" in ASC, you can amend it (I made a start below on a recent project).  This is using ARG rather than the REST api directly.  You should be able to see the api info if you need to use that.

securityresources
//| where subscriptionId == "< insert you id here >"
| where type =~ "microsoft.security/assessments" or type =~ "microsoft.security/softwareInventories"
| extend assessmentStatusCode = case(type =~ "microsoft.security/assessments", tostring(properties.status.code), "")
| extend severity = case(assessmentStatusCode =~ "unhealthy", tolower(tostring(properties.metadata.severity)), tolower(assessmentStatusCode))
| extend exemptionType = case(tolower(type) != "microsoft.security/assessments","N/A", case(properties.status.cause =~ "exempt", "Yes", "No"))
| extend source = case(type =~ "microsoft.security/assessments", tostring(properties.resourceDetails.Source), "")
| extend resourceId = trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
                                                                            source =~ "aws", properties.resourceDetails.AzureResourceId,
                                                                            source =~ "gcp", properties.resourceDetails.AzureResourceId,
                                                                            type =~ "microsoft.security/assessments", extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id),extract("^(.+)/providers/Microsoft.Security/softwareInventories/.+$",1,id)))))
| extend resourceName = extract(@"(.+)/(.+)", 2, resourceId)
| extend regexResourceId = extract_all(@"/providers/([^/]+)(?:/([^/]+)/[^/]+(?:/([^/]+)/[^/]+)?)?/([^/]+)/[^/]+$", resourceId)
| extend RegexResourceType = regexResourceId[0]
| extend mainType = RegexResourceType[1], extendedType = RegexResourceType[2], resourceType = RegexResourceType[3]
| extend providerName = RegexResourceType[0],
                        mainType = case(mainType !~ "", strcat("/",mainType), ""),
                        extendedType = case(extendedType!~ "", strcat("/",extendedType), ""),
                        resourceType = case(resourceType!~ "", strcat("/",resourceType), "")
| extend array = split(resourceId, '/')
| extend typeFullPath = case(array_length(array) == 3,  'subscription', strcat(providerName, mainType, extendedType, resourceType))
| extend typeFullPath = case(array_length(array) == 5, 'resourcegroups', typeFullPath)
| extend resourceType = case(typeFullPath =~ 'resourcegroups' or typeFullPath =~ 'subscription', typeFullPath, tolower(trim("/", resourceType)))
| extend assessmentKey = case(type =~ "microsoft.security/assessments", tostring(name), "")
| extend softwareVendorName = case(type =~ "microsoft.security/softwareInventories", tostring(properties.vendor), "")
| extend softwareName = case(type =~ "microsoft.security/softwareInventories", tostring(properties.softwareName), "")
| extend softwareNameIdentifier = case(type =~ "microsoft.security/softwareInventories", strcat(softwareVendorName, ",", softwareName), "")
| extend environment = case(type =~ "microsoft.security/assessments", properties.resourceDetails["Source"], "")
| extend environment = case(environment =~ "onpremise", tolower("Non-Azure"), tolower(environment))
| extend osTypeProperty = properties.additionalData["OS Type"]
| extend osType = case(isnotempty(osTypeProperty), osTypeProperty, "")
| extend hasAgent = case(assessmentKey == "d1db3318-01ff-16de-29eb-28b344515626" or assessmentKey == "45cfe080-ceb1-a91e-9743-71551ed24e94" or assessmentKey == "720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1" or assessmentKey == "27ac71b1-75c5-41c2-adc2-858f5db45b08", assessmentStatusCode, "")
| extend workspaceAzureResourceId = case(hasAgent !~ "", properties.additionalData["Reporting workspace azure id"], "")
| extend workspaceName = case(workspaceAzureResourceId !~ "", extract(@"(.+)/(.+)", 2, workspaceAzureResourceId), "")
| extend assessmentDisplayName = case(type =~ "microsoft.security/assessments", case(isnotempty(properties.displayName), properties.displayName, properties.metadata.displayName), "")
| extend assessmentIdentifier = case(type =~ "microsoft.security/assessments", strcat(assessmentKey, "," , assessmentDisplayName, ",", severity), "")
| summarize assessmentsCount = count() , assessmentsIdentifier = make_list(assessmentIdentifier), softwareNamesIdentifier = make_list(softwareNameIdentifier), hasAgent = max(hasAgent), workspaceName = max(workspaceName), environment = max(environment), osType = max(osType), exemptionType = max(exemptionType)  by resourceId, subscriptionId, resourceName, resourceType, typeFullPath, severity
| extend packAssessments = pack(severity, assessmentsCount)
| summarize assessmentsSummary = make_bag(packAssessments), assessmentsIdentifier = make_set(assessmentsIdentifier), softwareNamesIdentifier = make_set(softwareNamesIdentifier), hasAgent = max(hasAgent), workspaceName= max(workspaceName), environment = max(environment), osType= max(osType), exemptionType = max(exemptionType)  by resourceId, subscriptionId, resourceName, resourceType, typeFullPath
| extend agentMonitoring = case(hasAgent =~ "NotApplicable" or hasAgent =~ "", '',
                                                hasAgent =~ "Unhealthy", "notInstalled",
                                                "installed")
| join kind=leftouter (
                    securityresources
                    | where type =~ "microsoft.security/pricings"
                    | project subscriptionId, bundleName = tolower(name), freeTrialRemainingTime = properties.freeTrialRemainingTime, pricingTier = tolower(properties.pricingTier)
                    | extend bundlesPricing = pack(bundleName, pricingTier)
                    | summarize subscriptionPricing = make_bag(bundlesPricing) by subscriptionId
                ) on subscriptionId
| extend hasNoSoftwareData = case(array_length(softwareNamesIdentifier) == 1, case(set_has_element(softwareNamesIdentifier, ""), true, false), false)
| extend softwareNamesIdentifier = case(hasNoSoftwareData, softwareNamesIdentifier, set_difference(softwareNamesIdentifier, pack_array("")))
| extend AssessmentsHigh = case(isnull(assessmentsSummary.high), 0 , toint(assessmentsSummary.high))
| extend AssessmentsMedium = case(isnull(assessmentsSummary.medium), 0 , toint(assessmentsSummary.medium))
| extend AssessmentsLow = case(isnull(assessmentsSummary.low), 0 , toint(assessmentsSummary.low))
| extend unhealthyAssessmentsCount = AssessmentsHigh + AssessmentsMedium + AssessmentsLow
| extend virtualmachines = case(isnull(subscriptionPricing), '' , subscriptionPricing.virtualmachines)
| extend virtualmachines = case(virtualmachines == 'free', 'off', 'on')
| extend sqlservers = case(isnull(subscriptionPricing), '' , subscriptionPricing.sqlservers)
| extend sqlservers = case(sqlservers == 'free', 'off', 'on')
| extend kubernetesservice = case(isnull(subscriptionPricing), '' , subscriptionPricing.kubernetesservice)
| extend kubernetesservice = case(kubernetesservice == 'free', 'off', 'on')
| extend containerregistry = case(isnull(subscriptionPricing), '' , subscriptionPricing.containerregistry)
| extend containerregistry = case(containerregistry == 'free', 'off', 'on')
| extend connectedcontainerregistry = case(isnull(subscriptionPricing), '' , subscriptionPricing.connectedcontainerregistry)
| extend connectedcontainerregistry = case(connectedcontainerregistry == 'free', 'off', 'on')
| extend sqlservervirtualmachines = case(isnull(subscriptionPricing), '' , subscriptionPricing.sqlservervirtualmachines)
| extend sqlservervirtualmachines = case(sqlservervirtualmachines == 'free', 'off', 'on')
| extend appservices = case(isnull(subscriptionPricing), '' , subscriptionPricing.appservices)
| extend appservices = case(appservices == 'free', 'off', 'on')
| extend storageaccounts = case(isnull(subscriptionPricing), '' , subscriptionPricing.storageaccounts)
| extend storageaccounts = case(storageaccounts == 'free', 'off', 'on')
| extend keyvaults = case(isnull(subscriptionPricing), '' , subscriptionPricing.keyvaults)
| extend keyvaults = case(keyvaults == 'free', 'off', 'on')
| extend opensourcerelationaldatabases = case(isnull(subscriptionPricing), '' , subscriptionPricing.opensourcerelationaldatabases)
| extend opensourcerelationaldatabases = case(opensourcerelationaldatabases == 'free', 'off', 'on')
| extend calculatedSubscriptionPricing = case(resourceType =~ "subscription" and isempty(subscriptionPricing) == false , iff(subscriptionPricing has "free" and subscriptionPricing has "standard", "partial", iff(subscriptionPricing has "free", "off", "on")), "")
| extend resourcePricing = case(typeFullPath =~ "microsoft.classiccompute/virtualmachines", virtualmachines, typeFullPath =~ "microsoft.compute/virtualmachines", virtualmachines, typeFullPath =~ "microsoft.hybridcompute/machines", virtualmachines, typeFullPath =~ "microsoft.sql/servers", sqlservers, typeFullPath =~ "microsoft.containerservice/managedclusters", kubernetesservice, typeFullPath =~ "microsoft.kubernetes/connectedclusters", kubernetesservice, typeFullPath =~ "microsoft.containerregistry/registries", containerregistry, typeFullPath =~ "microsoft.security/connectedcontainerregistries", connectedcontainerregistry, typeFullPath =~ "microsoft.sqlvirtualmachine/sqlvirtualmachines", sqlservervirtualmachines, typeFullPath =~ "microsoft.web/sites", appservices, typeFullPath =~ "microsoft.storage/storageaccounts", storageaccounts, typeFullPath =~ "microsoft.compute/virtualmachinescalesets", virtualmachines, typeFullPath =~ "microsoft.keyvault/vaults", keyvaults, typeFullPath =~ "microsoft.dbforpostgresql/servers", opensourcerelationaldatabases, typeFullPath =~ "microsoft.dbformysql/servers", opensourcerelationaldatabases, typeFullPath =~ "microsoft.dbformariadb/servers", opensourcerelationaldatabases, calculatedSubscriptionPricing)
| extend pricing = case(resourceType =~ "subscription" , calculatedSubscriptionPricing , resourcePricing)
| project resourceType, exemptionType, typeFullPath, resourceId, resourceName, subscriptionId, environment, osType, workspaceName, agentMonitoring, assessmentsIdentifier, assessmentsSummary, subscriptionPricing, unhealthyAssessmentsCount, pricing, softwareNamesIdentifier
| extend resourceGroup = tolower(tostring(split(resourceId, "/")[4]))
| order by unhealthyAssessmentsCount, subscriptionId, resourceType, resourceId
| where isnotempty(resourceId)
| extend resourceType = iff(resourceType == 'servers','SQL Server',resourceType)
| extend resourceType = iff(resourceType == 'machines','Hybrid Server',resourceType)
| summarize on_=countif(pricing == "on"), off_=countif(isempty(pricing)), part_=countif(pricing == "partial") by resourceType | order by on_ desc

  
Screenshot 2021-07-30 162029.png

Thanks @Clive Watson ,

 

for your quick reply

 

Can we use ARG query in REST API calls? any help?

ARG is using the REST Api (under the covers), but you are using KQL in Azure Resource Graph(ARG). If you want to use the REST Api, you need to use a tools like Postman or even a Azure Monitor Workbook that can run KQL, ARG and ARM (for REST api queries). ARG supports a subset of the full REST api in Azure, so you may be able to get the data you need with ARG or maybe need to use ARG and api calls.
Thanks @Clive Watson ,
I am able to use ARG query through API calls.