Hi @Yue Ma , you can modify your first query to join the results of the second query based on a common key. In this case, the resourceId
from the first query and the JoinID
from the second query can serve as the keys for the join operation. Here’s how you can update your query:
// First query to get MDC recommendations
securityresources
| where type == "microsoft.security/assessments"
| extend source = trim(' ', tolower(tostring(properties.resourceDetails.Source)))
| extend resourceId = trim(' ', tolower(tostring(case(
source =~ "azure", properties.resourceDetails.Id,
source =~ "aws" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,
source =~ "gcp" and isnotempty(tostring(properties.resourceDetails.ConnectorId)), properties.resourceDetails.Id,
source =~ 'aws', properties.resourceDetails.AzureResourceId,
source =~ 'gcp', properties.resourceDetails.AzureResourceId,
extract('^(.+)/providers/Microsoft.Security/assessments/.+$',1,id)
))))
| extend status = trim(" ", tostring(properties.status.code))
| extend cause = trim(" ", tostring(properties.status.cause))
| extend assessmentKey = tostring(name)
| where assessmentKey == "d57a4221-a804-52ca-3dea-768284f06bb7"
// Second query to get department names
| join kind=leftouter (
Resources
| where type == 'microsoft.compute/virtualmachines'
| extend JoinID = toupper(id)
| extend departmentTag = tostring(tags['Department'])
) on $left.resourceId == $right.JoinID
| project-away JoinID, JoinID1 // Remove duplicate columns after join
| extend department = departmentTag // Rename for clarity
Remember to replace the resourceId
and JoinID
with the actual column names used in your data if they are different.
Please let me know if you have any questions or if this doesn't work and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James