我有这两个查询,我一直在尝试将它们连接在一起,但是我尝试的任何事情都失败了。我已经到了这一点,但老实说,我认为我已经超出了我目前的深度。
securityresources
| where type == "microsoft.security/assessments"
| project
['TenantID'] = tenantId,
['SubscriptionID'] = subscriptionId,
['AssessmentID'] = name,
['DisplayName'] = properties.displayName,
['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").[7]),
['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").[8]),
['ResourceGroup'] = resourceGroup,
['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink),
['StatusCode'] = properties.status.code,
['StatusDescription'] = properties.status.description,
['PolicyDefID'] = properties.metadata.policyDefinitionId,
['Description'] = properties.metadata.description,
['RecomType'] = properties.metadata.assessmentType,
['Remediation'] = properties.metadata.remediationDescription,
['Severity'] = properties.metadata.severity,
['Link'] = properties.links.azurePortal
| join kind=inner (
policyresources
| where type =~ "microsoft.policyinsights/policystates"
| project
['PolicyDefID'] = properties.policyDefinitionId,
['PolicyScope'] = properties.policyAssignmentScope,
['PolicyAssignmentID'] = properties.policyAssignmentId
)
on PolicyDefID
| project-away PolicyDefID1
关于我在这里做错了什么有什么建议吗?显然受到资源图资源管理器中允许的 KQL 的限制。
谢谢