Поделиться через


Примеры запросов Azure Resource Graph для Microsoft Defender для облака

На этой странице представлена коллекция примеров запросов Azure Resource Graph для Microsoft Defender для облака.

Примеры запросов

Отображение всех активных оповещений Microsoft Defender для облака

Возвращает список всех активных оповещений в клиенте Microsoft Defender для облака.

securityresources
| where type =~ 'microsoft.security/locations/alerts'
| where properties.Status in ('Active')
| where properties.Severity in ('Low', 'Medium', 'High')
| project alert_type = tostring(properties.AlertType), SystemAlertId = tostring(properties.SystemAlertId), ResourceIdentifiers = todynamic(properties.ResourceIdentifiers)
az graph query -q "securityresources | where type =~ 'microsoft.security/locations/alerts' | where properties.Status in ('Active') | where properties.Severity in ('Low', 'Medium', 'High') | project alert_type = tostring(properties AlertType), SystemAlertId = tostring(properties.SystemAlertId), ResourceIdentifiers = todynamic(properties ResourceIdentifiers)"

Оценка безопасности элементов управления на подписку

Возвращает оценку соблюдения мер безопасности для подписки.

SecurityResources
| where type == 'microsoft.security/securescores/securescorecontrols'
| extend controlName=properties.displayName,
  controlId=properties.definition.name,
  notApplicableResourceCount=properties.notApplicableResourceCount,
  unhealthyResourceCount=properties.unhealthyResourceCount,
  healthyResourceCount=properties.healthyResourceCount,
  percentageScore=properties.score.percentage,
  currentScore=properties.score.current,
  maxScore=properties.definition.properties.maxScore,
  weight=properties.weight,
  controlType=properties.definition.properties.source.sourceType,
  controlRecommendationIds=properties.definition.properties.assessmentDefinitions
| project tenantId, subscriptionId, controlName, controlId, unhealthyResourceCount, healthyResourceCount, notApplicableResourceCount, percentageScore, currentScore, maxScore, weight, controlType, controlRecommendationIds
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores/securescorecontrols' | extend controlName=properties.displayName, controlId=properties.definition.name, notApplicableResourceCount=properties.notApplicableResourceCount, unhealthyResourceCount=properties.unhealthyResourceCount, healthyResourceCount=properties.healthyResourceCount, percentageScore=properties.score.percentage, currentScore=properties.score.current, maxScore=properties.definition.properties.maxScore, weight=properties.weight, controlType=properties.definition.properties.source.sourceType, controlRecommendationIds=properties.definition.properties.assessmentDefinitions | project tenantId, subscriptionId, controlName, controlId, unhealthyResourceCount, healthyResourceCount, notApplicableResourceCount, percentageScore, currentScore, maxScore, weight, controlType, controlRecommendationIds"

Подсчет работоспособных, неработоспособных и неприменимых ресурсов для рекомендации

Возвращает количество работоспособных, неработоспособных и неприменимых ресурсов для рекомендации. Укажите summarize и count, чтобы определить способ группирования и объединения значений по свойству.

SecurityResources
| where type == 'microsoft.security/assessments'
| extend resourceId=id,
  recommendationId=name,
  resourceType=type,
  recommendationName=properties.displayName,
  source=properties.resourceDetails.Source,
  recommendationState=properties.status.code,
  description=properties.metadata.description,
  assessmentType=properties.metadata.assessmentType,
  remediationDescription=properties.metadata.remediationDescription,
  policyDefinitionId=properties.metadata.policyDefinitionId,
  implementationEffort=properties.metadata.implementationEffort,
  recommendationSeverity=properties.metadata.severity,
  category=properties.metadata.categories,
  userImpact=properties.metadata.userImpact,
  threats=properties.metadata.threats,
  portalLink=properties.links.azurePortal
| summarize numberOfResources=count(resourceId) by tostring(recommendationName), tostring(recommendationState)
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | extend resourceId=id, recommendationId=name, resourceType=type, recommendationName=properties.displayName, source=properties.resourceDetails.Source, recommendationState=properties.status.code, description=properties.metadata.description, assessmentType=properties.metadata.assessmentType, remediationDescription=properties.metadata.remediationDescription, policyDefinitionId=properties.metadata.policyDefinitionId, implementationEffort=properties.metadata.implementationEffort, recommendationSeverity=properties.metadata.severity, category=properties.metadata.categories, userImpact=properties.metadata.userImpact, threats=properties.metadata.threats, portalLink=properties.links.azurePortal | summarize numberOfResources=count(resourceId) by tostring(recommendationName), tostring(recommendationState)"

Получение всех оповещений Интернета вещей для центра, отфильтрованных по типу

Возвращает все оповещения Интернета вещей для определенного центра (замените заполнитель {hub_id}) и тип оповещения (замените заполнитель {alert_type}).

SecurityResources
| where type =~ 'microsoft.security/iotalerts' and id contains '{hub_id}' and properties.alertType contains '{alert_type}'
az graph query -q "SecurityResources | where type =~ 'microsoft.security/iotalerts' and id contains '{hub_id}' and properties.alertType contains '{alert_type}'"

Получение аналитических сведений о конфиденциальности определенного ресурса

Возвращает сведения о конфиденциальности определенного ресурса (замените заполнитель {resource_id} нужным значением).

SecurityResources
| where type == 'microsoft.security/insights/classification'
| where properties.associatedResource contains '$resource_id'
| project SensitivityInsight = properties.insightProperties.purviewCatalogs[0].sensitivity
az graph query -q "SecurityResources | where type == 'microsoft.security/insights/classification' | where properties.associatedResource contains '\$resource_id' | project SensitivityInsight = properties.insightProperties.purviewCatalogs[0].sensitivity"

Получение конкретного оповещения Интернета вещей

Возвращает конкретное оповещение Интернета вещей по указанному идентификатору системного оповещения (замените заполнитель {system_Alert_Id}).

SecurityResources
| where type =~ 'microsoft.security/iotalerts' and properties.systemAlertId contains '{system_Alert_Id}'
az graph query -q "SecurityResources | where type =~ 'microsoft.security/iotalerts' and properties.systemAlertId contains '{system_Alert_Id}'"

Вывод списка результатов оценки уязвимостей Реестра контейнеров

Возвращает все уязвимости, обнаруженные в образах контейнеров. Для просмотра этих результатов оценки безопасности необходимо включить Microsoft Defender для контейнеров.

SecurityResources
| where type == 'microsoft.security/assessments'
| where properties.displayName contains 'Container registry images should have vulnerability findings resolved'
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | extend assessmentKey = extract('.*assessments/(.+?)/.*',1,  id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
  displayName = properties.displayName,
  resourceId = properties.resourceDetails.id,
  resourceSource = properties.resourceDetails.source,
  category = properties.category,
  severity = properties.status.severity,
  code = properties.status.code,
  timeGenerated = properties.timeGenerated,
  remediation = properties.remediation,
  impact = properties.impact,
  vulnId = properties.id,
  additionalData = properties.additionalData
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | where properties.displayName contains 'Container registry images should have vulnerability findings resolved' | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == 'microsoft.security/assessments/subassessments' | extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData"

Получение списка рекомендаций Microsoft Defender

Возвращает все оценки Microsoft Defender, упорядоченные в табличном виде с одним полем для каждого свойства.

SecurityResources
| where type == 'microsoft.security/assessments'
| extend resourceId=id,
  recommendationId=name,
  recommendationName=properties.displayName,
  source=properties.resourceDetails.Source,
  recommendationState=properties.status.code,
  description=properties.metadata.description,
  assessmentType=properties.metadata.assessmentType,
  remediationDescription=properties.metadata.remediationDescription,
  policyDefinitionId=properties.metadata.policyDefinitionId,
  implementationEffort=properties.metadata.implementationEffort,
  recommendationSeverity=properties.metadata.severity,
  category=properties.metadata.categories,
  userImpact=properties.metadata.userImpact,
  threats=properties.metadata.threats,
  portalLink=properties.links.azurePortal
| project tenantId, subscriptionId, resourceId, recommendationName, recommendationId, recommendationState, recommendationSeverity, description, remediationDescription, assessmentType, policyDefinitionId, implementationEffort, userImpact, category, threats, source, portalLink
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | extend resourceId=id, recommendationId=name, recommendationName=properties.displayName, source=properties.resourceDetails.Source, recommendationState=properties.status.code, description=properties.metadata.description, assessmentType=properties.metadata.assessmentType, remediationDescription=properties.metadata.remediationDescription, policyDefinitionId=properties.metadata.policyDefinitionId, implementationEffort=properties.metadata.implementationEffort, recommendationSeverity=properties.metadata.severity, category=properties.metadata.categories, userImpact=properties.metadata.userImpact, threats=properties.metadata.threats, portalLink=properties.links.azurePortal | project tenantId, subscriptionId, resourceId, recommendationName, recommendationId, recommendationState, recommendationSeverity, description, remediationDescription, assessmentType, policyDefinitionId, implementationEffort, userImpact, category, threats, source, portalLink"

Вывод списка результатов оценки уязвимостей Qualys

Возвращает все уязвимости, обнаруженные на виртуальных машинах, на которых установлен агент Qualys.

SecurityResources
| where type == 'microsoft.security/assessments'
| where * contains 'vulnerabilities in your virtual machines'
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
  securityresources
  | where type == 'microsoft.security/assessments/subassessments'
  | extend assessmentKey = extract('.*assessments/(.+?)/.*',1,  id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
  displayName = properties.displayName,
  resourceId = properties.resourceDetails.id,
  resourceSource = properties.resourceDetails.source,
  category = properties.category,
  severity = properties.status.severity,
  code = properties.status.code,
  timeGenerated = properties.timeGenerated,
  remediation = properties.remediation,
  impact = properties.impact,
  vulnId = properties.id,
  additionalData = properties.additionalData
az graph query -q "SecurityResources | where type == 'microsoft.security/assessments' | where * contains 'vulnerabilities in your virtual machines' | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == 'microsoft.security/assessments/subassessments' | extend assessmentKey = extract('.*assessments/(.+?)/.*',1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData"

Состояние оценок соответствия нормативным требованиям

Возвращает состояние оценок соответствия нормативным требованиям для каждого стандарта соответствия и элемента управления соответствием.

SecurityResources
| where type == 'microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments'
| extend assessmentName=properties.description,
  complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulatoryComplianceControls',1,id),
  complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulatoryComplianceAssessments',1,id),
  skippedResources=properties.skippedResources,
  passedResources=properties.passedResources,
  failedResources=properties.failedResources,
  state=properties.state
| project tenantId, subscriptionId, id, complianceStandard, complianceControl, assessmentName, state, skippedResources, passedResources, failedResources
az graph query -q "SecurityResources | where type == 'microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments' | extend assessmentName=properties.description, complianceStandard=extract(@'/regulatoryComplianceStandards/(.+)/regulatoryComplianceControls',1,id), complianceControl=extract(@'/regulatoryComplianceControls/(.+)/regulatoryComplianceAssessments',1,id), skippedResources=properties.skippedResources, passedResources=properties.passedResources, failedResources=properties.failedResources, state=properties.state | project tenantId, subscriptionId, id, complianceStandard, complianceControl, assessmentName, state, skippedResources, passedResources, failedResources"

Состояние соответствия нормативным требованиям для стандарта соответствия

Возвращает состояние соответствия нормативным требованиям для стандарта соответствия для каждой подписки.

SecurityResources
| where type == 'microsoft.security/regulatorycompliancestandards'
| extend complianceStandard=name,
  state=properties.state,
  passedControls=properties.passedControls,
  failedControls=properties.failedControls,
  skippedControls=properties.skippedControls,
  unsupportedControls=properties.unsupportedControls
| project tenantId, subscriptionId, complianceStandard, state, passedControls, failedControls, skippedControls, unsupportedControls
az graph query -q "SecurityResources | where type == 'microsoft.security/regulatorycompliancestandards' | extend complianceStandard=name, state=properties.state, passedControls=properties.passedControls, failedControls=properties.failedControls, skippedControls=properties.skippedControls, unsupportedControls=properties.unsupportedControls | project tenantId, subscriptionId, complianceStandard, state, passedControls, failedControls, skippedControls, unsupportedControls"

Оценка соблюдения мер безопасности для группы управления

Возвращает оценку соблюдения мер безопасности для группы управления.

SecurityResources
| where type == 'microsoft.security/securescores'
| project subscriptionId,
  subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2)),
  weight = tolong(iff(properties.weight == 0, 1, properties.weight))
| join kind=leftouter (
  ResourceContainers
  | where type == 'microsoft.resources/subscriptions' and properties.state == 'Enabled'
  | project subscriptionId, mgChain=properties.managementGroupAncestorsChain )
  on subscriptionId
| mv-expand mg=mgChain
| summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by tostring(mg.displayName), mgId = tostring(mg.name)
| extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2))
| project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, secureScore
| order by mgName asc
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores' | project subscriptionId, subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2)), weight = tolong(iff(properties.weight == 0, 1, properties.weight)) | join kind=leftouter ( ResourceContainers | where type == 'microsoft.resources/subscriptions' and properties.state == 'Enabled' | project subscriptionId, mgChain=properties.managementGroupAncestorsChain ) on subscriptionId | mv-expand mg=mgChain | summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by tostring(mg.displayName), mgId = tostring(mg.name) | extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2)) | project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum, secureScore | order by mgName asc"

Оценка безопасности на подписку

Возвращает оценку безопасности на подписку.

SecurityResources
| where type == 'microsoft.security/securescores'
| extend percentageScore=properties.score.percentage,
  currentScore=properties.score.current,
  maxScore=properties.score.max,
  weight=properties.weight
| project tenantId, subscriptionId, percentageScore, currentScore, maxScore, weight
az graph query -q "SecurityResources | where type == 'microsoft.security/securescores' | extend percentageScore=properties.score.percentage, currentScore=properties.score.current, maxScore=properties.score.max, weight=properties.weight | project tenantId, subscriptionId, percentageScore, currentScore, maxScore, weight"

Вывод ценовой категории плана Defender для облака на подписку

Возвращает ценовую категорию плана Defender для облака на подписку.

SecurityResources
| where type == 'microsoft.security/pricings'
| project Subscription= subscriptionId, Azure_Defender_plan= name, Status= properties.pricingTier
az graph query -q "SecurityResources | where type == 'microsoft.security/pricings' | project Subscription= subscriptionId, Azure_Defender_plan= name, Status= properties.pricingTier"

Следующие шаги