Skip to content

Latest commit

 

History

History
51 lines (39 loc) · 1.98 KB

File metadata and controls

51 lines (39 loc) · 1.98 KB

IMPORTANT: DevOps Kit (AzSK) is being sunset by end of FY21. More details here


OMS Helper Queries

Contents


Overview:

To help team visualize the scan results effectively we have added properties in OMS data objects. This will help to filter scan results based on latest module version/access/expiry/baseline etc.


Local effective scan result

You can validate your local scan with below query by adding Runidentifier (Runidentifier is nothing but the folder name where local scan resides e.g. "20180112_111359_GRS")

AzSK_CL
| where HasAttestationReadPermissions_b == true and HasRequiredAccess_b == true and IsLatestPSModule_b == true and RunIdentifier_s == "<RunIdentifier>"

CA Complete Scan Results

Following query will help you to get complete results generated by CA scan.

let uniqueIdentifiers = AzSK_CommandEvent_CL
| where EventName_s == "Command Completed" and PartialScanIdentifier_s != "" 
| summarize arg_max(TimeGenerated, *) by SubscriptionId 
| project  PartialScanIdentifier_s;
AzSK_CL | join kind= inner (
    uniqueIdentifiers
) on PartialScanIdentifier_s 
| extend ControlStatus = iff(ControlStatus_s == "Passed", "Passed","Failed")
| summarize AggregatedValue = count() by SubscriptionId,ControlStatus

Get expiring CA cert details

Following query will give you details of subscriptions CA for which CA certificate is going to expire within 7 days

AzSKMetaData_CL | where TimeGenerated > ago(15d) | summarize arg_max(TimeGenerated, *) by SubscriptionId | where CACertExpiryTime_t < ago(-7d) 
| project SubscriptionId, SubscriptionName_s, CACertExpiryTime_t