Azure SQL Database
An Azure relational database service.
5,338 questions
Get the full list of Defender sub assessments given an assessment?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 99%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Nguyen, Hoa
331
Reputation points
We have multiple subscriptions with hundreds of different Azure resource types.
I would like to work to remediate the assessments and sub assessments found on the sql server, Azure SQL and Azure SQL MI. The portal shows about 2K sub assessments on the hundreds sql related resources. Thus I definitely need some type of organization and prioritization for remediation.
I have a resource graph Explorer query to list all Azure resources that are marked with a security check/recommendation/assessment "SQL databases should have vulnerability findings resolved". The query is attached below.
BUT I need to drill deeper into the sub assessments. Given that one recommendation/assessments, there are many findings/sub assessments with affected azure resources.
Q: How do I get a full list of findings/sub assessments for my resources with the Vulnerability number such as VA2018, sub assessment name, remediation, risk level so that I can group them into logical work categories?
An example is I would like to group all "findings/sub assessments" surrounding the GUEST login as in grid below and create a work item for the flagged databases. The query output should have a contains clause such as "GUEST" as search filter and return the list the VAxxxx, the finding name, the risk level besides the recommendation name, the subscriptionName and ResourceName that I currently have on the assessment query.
Thank you very much for your time and assistance.
|VA1020|database|Database user GUEST
should not be a member of any role|High|||
| -------- | -------- | -------- | -------- | -------- | -------- |
|VA1020|database|Database user GUEST should not be a member of any role|High| | |
|VA1096|database|Principal GUEST should not be granted permissions in the database|Low| | |
|VA1097|database|Principal GUEST should not be granted permissions on objects or columns|Low| | |
|VA1099|database|GUEST user should not be granted permissions on database securables|Low|||
securityresources
| where type == "microsoft.security/assessments"
| extend name = properties.displayName
| extend resourceDetails = properties.resourceDetails
| where name contains "SQL databases should have vulnerability findings resolved" and resourceDetails contains "sqlserver-"
| join kind=leftouter ( resourcecontainers | where type == "microsoft.resources/subscriptions"
| extend resolvedSubId = tostring(split(id, '/', 2)[0]), subscriptionName = name | project resolvedSubId, subscriptionName ) on $left.subscriptionId == $right.resolvedSubId
| project name, resourceDetails, subscriptionName
| extend resourname= parse_json(resourceDetails)
| project name,subscriptionName,ResourceName=resourname.ResourceName, ResourceID=resourname.ResourceId
| sort by subscriptionName, tostring(ResourceName )
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
ShaktiSingh-MSFT 14,201 Reputation points Microsoft Employee2024-07-01T03:39:18.5866667+00:00 Hi Nguyen, Hoa •,
Welcome to Microsoft Q&A forum.
As I understand, you are writing a KQL query in Azure Resource Graph for Azure SQL DB and Azure SQL MI.
I am checking on your ask with the internal team and get back to you.
Thanks.
-
Nguyen, Hoa 331 Reputation points
2024-07-01T13:20:35.8+00:00 Yes, that is correct. I am looking for a KQL query that given an assessment will take in a search filter into all the sub assessments to output sub assessment name, remediation, VAxxxx value, and risk level besides the assessment name, subscription name and resource name. Thank you!
Sign in to comment