希望能帮到你。我是 KQL 新手,需要一些帮助。我创建了一个搜索查询,用于统计每个设备的严重和高严重性漏洞的数量。使用它比 GUI 更快,并且在 kql 中尝试一下很有趣。它工作得很好,除非设备没有漏洞,它根本不会出现在结果中。让所有设备都显示的最佳方法是什么?如果它们有零漏洞则显示 0?
代码
DeviceInfo
|join DeviceTvmSoftwareVulnerabilities on DeviceId
| where MachineGroup contains "example"
| summarize ['Critical Severity Vulnerabilities']=make_set_if(CveId,SoftwareName contains "server" and SoftwareName and VulnerabilitySeverityLevel == "Critical"),
['High Severity Vulnerabilities']=make_set_if(CveId, SoftwareName contains "server" and SoftwareName and VulnerabilitySeverityLevel == "High"),
by DeviceName
| project DeviceName , CVEServerCritical=array_length((['Critical Severity Vulnerabilities'])),CVEServerHigh=array_length((['High Severity Vulnerabilities']))
尝试了不同的加入/联合命令
您是否尝试过使用
leftouter
加入而不是 KQL 中默认的 inner
加入。
内部联接只会返回两个表中具有匹配值的行,这就是为什么没有漏洞的设备不会出现在结果中。
另一方面,leftouter
连接将返回左表中的所有行(在本例中为 DeviceInfo
)以及右表中的匹配行 (DeviceTvmSoftwareVulnerabilities
)。
如果没有匹配,查询仍将返回左表中右表列为空值的行。
这是查询的更新版本,它使用
leftouter
连接,还包括通过确保数组不会变为空来处理没有漏洞的设备:
DeviceInfo
| join kind=leftouter (DeviceTvmSoftwareVulnerabilities | where MachineGroup contains "example") on DeviceId
| extend SoftwareName = coalesce(SoftwareName, "") // Ensures SoftwareName is never null
| summarize
['Critical Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "Critical"),
['High Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "High"),
['Medium Severity Vulnerabilities'] = make_set_if(CveId, SoftwareName contains "server" and VulnerabilitySeverityLevel == "Medium")
by DeviceName
| project
DeviceName,
CVEServerCritical = array_length((['Critical Severity Vulnerabilities'])),
CVEServerHigh = array_length((['High Severity Vulnerabilities'])),
CVEServerMedium = array_length((['Medium Severity Vulnerabilities']))