Project/Extract from additional data fields

Question

How can I project CVE titles from this. Some have more than 1 as in below example, and some don't have any.
I ultimately want server names and CVE columns either empty or ith Title value

Below is example of what I am running in log analytics to extract CVE

SecurityNestedRecommendation

| where RecommendationSeverity == 'High' or RecommendationSeverity == 'Medium'
| project CVE=AdditionalData.Cve

Accepted Answer

This is done.. Below is the complete query that works as intended.

SecurityNestedRecommendation
| where RecommendationSeverity == 'High' or RecommendationSeverity == 'Medium'
| extend CVE = todynamic(AdditionalData.Cve)
| mv-expand CVE
| extend Patchable_ = tostring(AdditionalData.Patchable)
| extend Type_ = tostring(AdditionalData.Type)
| extend MonthName = case( datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 1, "Jan "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 2, "Feb "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 3, "Mar "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 4, "Apr "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 5, "May "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 6, "Jun "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 7, "Jul "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 8, "Aug "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 9, "Sep "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 10, "Oct "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 11, "Nov "
, datetime_part("month", todatetime(AdditionalData.PublishedTime)) == 12, "Dec "
, "Unknown Month"
)
| extend PublishedTime = strcat(datetime_part("day", todatetime(AdditionalData.PublishedTime)),"-", MonthName,"-",datetime_part("year", todatetime(AdditionalData.PublishedTime)))
| extend VMName = extract(@"(.+)/(.+)", 2, AssessedResourceId)
| extend Base_ = tostring(parse_json(tostring(parse_json(tostring(AdditionalData.Cvss)).["3.0"])).Base)
| extend Base_ = tostring(parse_json(tostring(parse_json(tostring(AdditionalData.Cvss)).["2.0"])).Base)
| project VMName, CVE.Title , Severity = RecommendationSeverity, Description, PublishedTime, Patchable = Patchable_, Score = Base_, Type=AdditionalData.Category, Category,RemediationDescription
| sort by VMName,Severity,Patchable

Answer

Ok so I got it working like this. But the problem is with this tostring(parse_json(tostring(AdditionalData.Cve))[0].Title), I don't know how to iterate through and pull various CVE numbers like are shown in original screenshot. This script will only show the result at 0.

SecurityNestedRecommendation
| where RecommendationSeverity == 'High' or RecommendationSeverity == 'Medium'
| extend CVE = tostring(parse_json(tostring(AdditionalData.Cve))[0].Title)
| extend Patchable_ = tostring(AdditionalData.Patchable)
| extend Type_ = tostring(AdditionalData.Type)
| extend PublishedTime_ = tostring(todatetime(AdditionalData.PublishedTime))
| extend VMName = extract(@"(.+)/(.+)", 2, AssessedResourceId)
| extend Base_ = tostring(parse_json(tostring(parse_json(tostring(AdditionalData.Cvss)).["3.0"])).Base)
| extend Base_ = tostring(parse_json(tostring(parse_json(tostring(AdditionalData.Cvss)).["2.0"])).Base)
| project VMName, strcat(CVE) , Severity = RecommendationSeverity, Description, PublishedTime = PublishedTime_, Patchable = Patchable_, Score = Base_, RemediationDescription
| sort by VMName,Severity,Patchable

Share via

Project/Extract from additional data fields

1 additional answer