Sdílet prostřednictvím


Ukázkové dotazy azure Resource Graphu pro Microsoft Defender for Cloud

Tato stránka je kolekce ukázkových dotazů Azure Resource Graphu pro Microsoft Defender for Cloud.

Vzorové dotazy

Zobrazení všech aktivních výstrah Microsoft Defenderu pro cloud

Vrátí seznam všech aktivních výstrah ve vašem tenantovi Microsoft Defenderu pro cloud.

securityresources
| where type =~ 'microsoft.security/locations/alerts'
| where properties.Status in ('Active')
| where properties.Severity in ('Low', 'Medium', 'High')
| project alert_type = tostring(properties.AlertType), SystemAlertId = tostring(properties.SystemAlertId), ResourceIdentifiers = todynamic(properties.ResourceIdentifiers)
az graph query -q "securityresources | where type =~ 'microsoft.security/locations/alerts' | where properties.Status in ('Active') | where properties.Severity in ('Low', 'Medium', 'High') | project alert_type = tostring(properties AlertType), SystemAlertId = tostring(properties.SystemAlertId), ResourceIdentifiers = todynamic(properties ResourceIdentifiers)"

Řídí skóre zabezpečení pro každé předplatné.

Vrátí bezpečnostní skóre pro každé předplatné.

SecurityResources
| where type == 'microsoft.security/securescores/securescorecontrols'
| extend controlName=properties.displayName,
  controlId=properties.definition.name,
  notApplicableResourceCount=properties.notApplicableResourceCount,
  unhealthyResourceCount=properties.unhealthyResourceCount,
  healthyResourceCount=properties.healthyResourceCount,
  percentageScore=properties.score.percentage,
  currentScore=properties.score.current,
  maxScore=properties.definition.properties.maxScore,
  weight=properties.weight,
  controlType=properties.definition.properties.source.sourceType,
  controlRecommendationIds=properties.definition.properties.assessmentDefinitions
| project tenantId, subscriptionId, controlName, controlId, unhealthyResourceCount, healthyResourceCount, notApplicableResourceCount, percentageScore, currentScore, maxScore, weight, controlType, controlRecommendationIds
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores/securescorecontrols' | extend controlName=properties.displayName, controlId=properties.definition.name, notApplicableResourceCount=properties.notApplicableResourceCount, unhealthyResourceCount=properties.unhealthyResourceCount, healthyResourceCount=properties.healthyResourceCount, percentageScore=properties.score.percentage, currentScore=properties.score.current, maxScore=properties.definition.properties.maxScore, weight=properties.weight, controlType=properties.definition.properties.source.sourceType, controlRecommendationIds=properties.definition.properties.assessmentDefinitions | project tenantId, subscriptionId, controlName, controlId, unhealthyResourceCount, healthyResourceCount, notApplicableResourceCount, percentageScore, currentScore, maxScore, weight, controlType, controlRecommendationIds"

Počet prostředků, které jsou v pořádku, nejsou v pořádku a nejsou použitelné na doporučení

Vrátí počet prostředků, které jsou v pořádku, nejsou v pořádku a nejsou použitelné na základě doporučení. Použijte summarize a count definujte, jak seskupit a agregovat hodnoty podle vlastnosti.

SecurityResources
| where type == 'microsoft.security/assessments'
| extend resourceId=id,
  recommendationId=name,
  resourceType=type,
  recommendationName=properties.displayName,
  source=properties.resourceDetails.Source,
  recommendationState=properties.status.code,
  description=properties.metadata.description,
  assessmentType=properties.metadata.assessmentType,
  remediationDescription=properties.metadata.remediationDescription,
  policyDefinitionId=properties.metadata.policyDefinitionId,
  implementationEffort=properties.metadata.implementationEffort,
  recommendationSeverity=properties.metadata.severity,
  category=properties.metadata.categories,
  userImpact=properties.metadata.userImpact,
  threats=properties.metadata.threats,
  portalLink=properties.links.azurePortal
| summarize numberOfResources=count(resourceId) by tostring(recommendationName), tostring(recommendationState)
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | extend resourceId=id, recommendationId=name, resourceType=type, recommendationName=properties.displayName, source=properties.resourceDetails.Source, recommendationState=properties.status.code, description=properties.metadata.description, assessmentType=properties.metadata.assessmentType, remediationDescription=properties.metadata.remediationDescription, policyDefinitionId=properties.metadata.policyDefinitionId, implementationEffort=properties.metadata.implementationEffort, recommendationSeverity=properties.metadata.severity, category=properties.metadata.categories, userImpact=properties.metadata.userImpact, threats=properties.metadata.threats, portalLink=properties.links.azurePortal | summarize numberOfResources=count(resourceId) by tostring(recommendationName), tostring(recommendationState)"

Získání všech upozornění IoT v centru, filtrované podle typu

Vrátí všechna upozornění IoT pro konkrétní centrum (zástupný symbol nahrazení {hub_id}) a typ výstrahy (zástupný symbol pro {alert_type}nahrazení).

SecurityResources
| where type =~ 'microsoft.security/iotalerts' and id contains '{hub_id}' and properties.alertType contains '{alert_type}'
az graph query -q "SecurityResources | where type =~ 'microsoft.security/iotalerts' and id contains '{hub_id}' and properties.alertType contains '{alert_type}'"

Získání přehledu citlivosti o konkrétním prostředku

Vrátí přehled citlivosti konkrétního prostředku (zástupný symbol {resource_id}).

SecurityResources
| where type == 'microsoft.security/insights/classification'
| where properties.associatedResource contains '$resource_id'
| project SensitivityInsight = properties.insightProperties.purviewCatalogs[0].sensitivity
az graph query -q "SecurityResources | where type == 'microsoft.security/insights/classification' | where properties.associatedResource contains '\$resource_id' | project SensitivityInsight = properties.insightProperties.purviewCatalogs[0].sensitivity"

Získání konkrétního upozornění IoT

Vrátí konkrétní výstrahu IoT zadaným ID upozornění systému (zástupný symbol pro {system_Alert_Id}nahrazení).

SecurityResources
| where type =~ 'microsoft.security/iotalerts' and properties.systemAlertId contains '{system_Alert_Id}'
az graph query -q "SecurityResources | where type =~ 'microsoft.security/iotalerts' and properties.systemAlertId contains '{system_Alert_Id}'"

Výpis výsledků posouzení ohrožení zabezpečení služby Container Registry

Vrátí všechna ohrožení zabezpečení nalezená v imagích kontejnerů. Aby bylo možné zobrazit tato zjištění zabezpečení, musí být povolen Program Microsoft Defender for Containers.

SecurityResources
| where type == 'microsoft.security/assessments'
| where properties.displayName contains 'Container registry images should have vulnerability findings resolved'
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | extend assessmentKey = extract('.*assessments/(.+?)/.*',1,  id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
  displayName = properties.displayName,
  resourceId = properties.resourceDetails.id,
  resourceSource = properties.resourceDetails.source,
  category = properties.category,
  severity = properties.status.severity,
  code = properties.status.code,
  timeGenerated = properties.timeGenerated,
  remediation = properties.remediation,
  impact = properties.impact,
  vulnId = properties.id,
  additionalData = properties.additionalData
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | where properties.displayName contains 'Container registry images should have vulnerability findings resolved' | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == 'microsoft.security/assessments/subassessments' | extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData"

Zobrazení seznamu doporučení v programu Microsoft Defender

Vrátí všechna hodnocení v programu Microsoft Defender uspořádaná tabulkovým způsobem s polem na vlastnost.

SecurityResources
| where type == 'microsoft.security/assessments'
| extend resourceId=id,
  recommendationId=name,
  recommendationName=properties.displayName,
  source=properties.resourceDetails.Source,
  recommendationState=properties.status.code,
  description=properties.metadata.description,
  assessmentType=properties.metadata.assessmentType,
  remediationDescription=properties.metadata.remediationDescription,
  policyDefinitionId=properties.metadata.policyDefinitionId,
  implementationEffort=properties.metadata.implementationEffort,
  recommendationSeverity=properties.metadata.severity,
  category=properties.metadata.categories,
  userImpact=properties.metadata.userImpact,
  threats=properties.metadata.threats,
  portalLink=properties.links.azurePortal
| project tenantId, subscriptionId, resourceId, recommendationName, recommendationId, recommendationState, recommendationSeverity, description, remediationDescription, assessmentType, policyDefinitionId, implementationEffort, userImpact, category, threats, source, portalLink
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | extend resourceId=id, recommendationId=name, recommendationName=properties.displayName, source=properties.resourceDetails.Source, recommendationState=properties.status.code, description=properties.metadata.description, assessmentType=properties.metadata.assessmentType, remediationDescription=properties.metadata.remediationDescription, policyDefinitionId=properties.metadata.policyDefinitionId, implementationEffort=properties.metadata.implementationEffort, recommendationSeverity=properties.metadata.severity, category=properties.metadata.categories, userImpact=properties.metadata.userImpact, threats=properties.metadata.threats, portalLink=properties.links.azurePortal | project tenantId, subscriptionId, resourceId, recommendationName, recommendationId, recommendationState, recommendationSeverity, description, remediationDescription, assessmentType, policyDefinitionId, implementationEffort, userImpact, category, threats, source, portalLink"

Výpis výsledků posouzení ohrožení zabezpečení Qualys

Vrátí všechna ohrožení zabezpečení nalezená na virtuálních počítačích s nainstalovaným agentem Qualys.

SecurityResources
| where type == 'microsoft.security/assessments'
| where * contains 'vulnerabilities in your virtual machines'
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | extend assessmentKey = extract('.*assessments/(.+?)/.*',1,  id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
  displayName = properties.displayName,
  resourceId = properties.resourceDetails.id,
  resourceSource = properties.resourceDetails.source,
  category = properties.category,
  severity = properties.status.severity,
  code = properties.status.code,
  timeGenerated = properties.timeGenerated,
  remediation = properties.remediation,
  impact = properties.impact,
  vulnId = properties.id,
  additionalData = properties.additionalData
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | where * contains 'vulnerabilities in your virtual machines' | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == 'microsoft.security/assessments/subassessments' | extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData"

Stav posouzení dodržování právních předpisů

Vrátí stav posouzení dodržování právních předpisů podle standardu dodržování předpisů a kontroly.

SecurityResources
| where type == 'microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments'
| extend assessmentName=properties.description,
  complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulatoryComplianceControls',1,id),
  complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulatoryComplianceAssessments',1,id),
  skippedResources=properties.skippedResources,
  passedResources=properties.passedResources,
  failedResources=properties.failedResources,
  state=properties.state
| project tenantId, subscriptionId, id, complianceStandard, complianceControl, assessmentName, state, skippedResources, passedResources, failedResources
az graph query -q "SecurityResources | where type == 'microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments' | extend assessmentName=properties.description, complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulatoryComplianceControls',1,id), complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulatoryComplianceAssessments',1,id), skippedResources=properties.skippedResources, passedResources=properties.passedResources, failedResources=properties.failedResources, state=properties.state | project tenantId, subscriptionId, id, complianceStandard, complianceControl, assessmentName, state, skippedResources, passedResources, failedResources"

Stav dodržování právních předpisů podle standardu dodržování předpisů

Vrátí stav dodržování právních předpisů podle standardu dodržování předpisů na předplatné.

SecurityResources
| where type == 'microsoft.security/regulatorycompliancestandards'
| extend complianceStandard=name,
  state=properties.state,
  passedControls=properties.passedControls,
  failedControls=properties.failedControls,
  skippedControls=properties.skippedControls,
  unsupportedControls=properties.unsupportedControls
| project tenantId, subscriptionId, complianceStandard, state, passedControls, failedControls, skippedControls, unsupportedControls
az graph query -q "SecurityResources | where type == 'microsoft.security/regulatorycompliancestandards' | extend complianceStandard=name, state=properties.state, passedControls=properties.passedControls, failedControls=properties.failedControls, skippedControls=properties.skippedControls, unsupportedControls=properties.unsupportedControls | project tenantId, subscriptionId, complianceStandard, state, passedControls, failedControls, skippedControls, unsupportedControls"

Skóre zabezpečení na skupinu pro správu

Vrátí skóre zabezpečení pro každou skupinu pro správu.

SecurityResources
| where type == 'microsoft.security/securescores'
| project subscriptionId,
  subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2)),
  weight = tolong(iff(properties.weight == 0, 1, properties.weight))
| join kind=leftouter (
  ResourceContainers
  | where type == 'microsoft.resources/subscriptions' and properties.state == 'Enabled'
  | project subscriptionId, mgChain=properties.managementGroupAncestorsChain )
  on subscriptionId
| mv-expand mg=mgChain
| summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by tostring(mg.displayName), mgId = tostring(mg.name)
| extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2))
| project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, secureScore
| order by mgName asc
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores' | project subscriptionId, subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2)), weight = tolong(iff(properties.weight == 0, 1, properties.weight)) | join kind=leftouter ( ResourceContainers | where type == 'microsoft.resources/subscriptions' and properties.state == 'Enabled' | project subscriptionId, mgChain=properties.managementGroupAncestorsChain ) on subscriptionId | mv-expand mg=mgChain | summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by tostring(mg.displayName), mgId = tostring(mg.name) | extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2)) | project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, secureScore | order by mgName asc"

Skóre zabezpečení na předplatné

Vrátí skóre zabezpečení pro každé předplatné.

SecurityResources
| where type == 'microsoft.security/securescores'
| extend percentageScore=properties.score.percentage,
  currentScore=properties.score.current,
  maxScore=properties.score.max,
  weight=properties.weight
| project tenantId, subscriptionId, percentageScore, currentScore, maxScore, weight
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores' | extend percentageScore=properties.score.percentage, currentScore=properties.score.current, maxScore=properties.score.max, weight=properties.weight | project tenantId, subscriptionId, percentageScore, currentScore, maxScore, weight"

Zobrazit cenovou úroveň plánu Defender for Cloud na předplatné

Vrátí plán cenové úrovně plánu Defender for Cloud pro každé předplatné.

SecurityResources
| where type == 'microsoft.security/pricings'
| project Subscription= subscriptionId, Azure_Defender_plan= name, Status= properties.pricingTier
az graph query -q "SecurityResources | where type == 'microsoft.security/pricings' | project Subscription= subscriptionId, Azure_Defender_plan= name, Status= properties.pricingTier"

Další kroky

  • Přečtěte si další informace o dotazovacím jazyce.
  • Přečtěte si další informace o tom, jak prozkoumat prostředky.