azurekql
KQL - Display affected resources
I currently have a query which displays recommendation display name and subscription name. I would like to display the information under property resourceDetails like ResourceName and ResourceID.Is this possible?
securityresources
| where type == "microsoft.security/assessments"`
| extend name = properties.displayName`
| extend resourceDetails = properties.resourceDetails`
| where name contains "Machines should have a vulnerability assessment solution"`
| join kind=leftouter ( `
` resourcecontainers`
`| where type == "microsoft.resources/subscriptions"`
`| extend resolvedSubId = tostring(split(id, '/', 2)[0]), subscriptionName = name`
`| project resolvedSubId, subscriptionName`
) on $left.subscriptionId == $right.resolvedSubId`
| project name, resourceDetails, subscriptionName
Solution
I would like to display the information under property resourceDetails like ResourceName and ResourceID.Is this possible?
Yes, you can use below KQL Query (modified your query a bit):
securityresources
| where type == "microsoft.security/assessments"
| extend name = properties.displayName
| extend resourceDetails = properties.resourceDetails
| where name contains "Machines should have a vulnerability assessment solution"
| join kind=leftouter ( resourcecontainers | where type == "microsoft.resources/subscriptions"
| extend resolvedSubId = tostring(split(id, '/', 2)[0]), subscriptionName = name | project resolvedSubId, subscriptionName ) on $left.subscriptionId == $right.resolvedSubId
| project name, resourceDetails, subscriptionName
| extend resourname= parse_json(resourceDetails)
| project name,subscriptionName,ResourceName=resourname.ResourceName, ResourceID=resourname.ResourceId
Output:
