How can I default a KQL Defender Vulnerability Summary to zero?
I've created a hunting query that that tallies the number of Critical and High severity vulnerabilities up per device. Using this is quicker that the GUI and was fun to dip my feet in kql a bit. It works great, except if a device has no vulnerabilities, it simply won't appear in the results. What is the best way of going about getting all devices to appear and if they have zero vulnerabilities to display a 0?
Code
DeviceInfo
|join DeviceTvmSoftwareVulnerabilities on DeviceId
| where MachineGroup contains "example"
| summarize ['Critical Severity Vulnerabilities']=make_set_if(CveId,SoftwareName contains "server" and SoftwareName and VulnerabilitySeverityLevel == "Critical"),
['High Severity Vulnerabilities']=make_set_if(CveId, SoftwareName contains "server" and SoftwareName and VulnerabilitySeverityLevel == "High"),
by DeviceName
| project DeviceName , CVEServerCritical=array_length((['Critical Severity Vulnerabilities'])),CVEServerHigh=array_length((['High Severity Vulnerabilities']))
Tried different joining/union commands
Have you tried leftouter join instead of the default inner join in KQL.
An inner join will only return rows that have matching values in both tables, which is why devices without vulnerabilities are not appearing in your results.
A leftouter join, on the other hand, will return all rows from the left table (in this case DeviceInfo), and the matched rows from the right table (DeviceTvmSoftwareVulnerabilities).
If there is no match, the query will still return the row from the left table with null values for the columns of the right table.
Here's an updated version of your query that uses a leftouter join and also includes handling for devices that have no vulnerabilities by ensuring that arrays do not become null:
DeviceInfo
| join kind=leftouter (DeviceTvmSoftwareVulnerabilities | where MachineGroup contains "example") on DeviceId
| extend SoftwareName = coalesce(SoftwareName, "") // Ensures SoftwareName is never null
| summarize
['Critical Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "Critical"),
['High Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "High"),
['Medium Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "Medium")
by DeviceName
| project
DeviceName,
CVEServerCritical = array_length((['Critical Severity Vulnerabilities'])),
CVEServerHigh = array_length((['High Severity Vulnerabilities'])),
CVEServerMedium = array_length((['Medium Severity Vulnerabilities']))
- Creating KQL query to get Azure VMs not patched since 30days
- Create a function to calculate power of tens with a loop and reuse them in another query
- Azure Resource Graph - Database sizes
- KQL Query to filter duplicate entries and select top 1 from the log data
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- How to find non distinct/duplicate messages in Azure Application Insights?
- Kusto query for time between records by group in one result list
- Application Insights KQL query - not in sub query
- Logic Apps copy action gives: The managed identity used with this operation no longer exists. To continue, set up an identity or change the connection
- Get all types of resources in a resource group
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- In Azure log analytics - where are the delete queries in KQL?
- Get the difference between Successive timestamps KQL
- Grouping on the basis of cumulative sum
- Check two different tables
- Is it possible to group rows programmatically in KQL?
- How could I parse the json array in Kusto?
- How to use table alias in KQL query
- How do I create an Azure workbook that accepts a time range in UTC?
- Azure Resource Graph Explorer :: list all VMs with number of cores
- Restrict all table and function except specific table
- Extract query string from url
- how to convert the rows into columns in Azure Data Explorer (Kusto)
- String function not parsing all characters
- free disk space overview using InsightsMetrics
- Query Azure Resource Graph and get a list of all the application registration that contains "test"
- Time difference between separate rows in same table
- How can I default a KQL Defender Vulnerability Summary to zero?