How to filter 'Unhealthy' resources through Assessments and SubAssessment API

KIRAN POLUSANI 21 Reputation points
2021-10-11T07:48:40.333+00:00

I am trying to filter 'Unhealthy' Assessments and SubAssessments through Management APIs. Some how I am not getting proper data. Please suggest what to use here.

Ex:
https://management.azure.com/subscriptions/{subscription}/providers/Microsoft.Security/assessments?api-version=2021-06-01&$filter=Properties/Status/Code eq 'Unhealthy'

This filter still giving 'Healthy' resources data

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,472 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,776 Reputation points Microsoft Employee
    2021-10-11T23:05:27.3+00:00

    @KIRAN POLUSANI
    Thank you for your post!

    Unfortunately, the $filter URI parameter currently isn't supported by the Assessments - List or Sub Assessments - List REST API. However, you should be able to use the $expand=statusEvaluationDates parameter which will indicate when a resource’s status has recently changed, for example from healthy to unhealthy. For more info.

    139558-image.png
    -The statusChangeDate field will indicate when a resource’s status has changed.
    -The firstEvaluationDate field shows when a resource has been evaluated for the first time.

    GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Security/assessments?api-version=2020-01-01&$expand=statusEvaluationDates

    You can also leverage the Azure Resource Graph Explorer, and run the following KQL query to show all assessments and their corresponding policy initiatives that have recently changed their assessment status to unhealthy.
    139614-image.png

    securityresources  
    | where type =~ "microsoft.security/assessments"  
    | extend assessmentStatusCode = tostring(properties.status.code)  
    | where assessmentStatusCode =~ "unhealthy"  
    | extend firstEvaluationDate = todatetime(properties.status.firstEvaluationDate)  
    | extend statusChangeDate = todatetime(properties.status.statusChangeDate)  
    | where statusChangeDate > firstEvaluationDate  
    

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.