[英]KQL get all CVE's in an array
我在 Azure Graph Explorer 中运行以下 KQL 查询
securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
| where assessmentKey == "dbd0cb49-b563-45e7-9724-889e799fa648"
这将返回我的原始数据 [Results][1]
如果我单击See details
,我可以看到给定漏洞分配了 2 个 CVE(CVE-2020-25709 和 CVE-2020-25710)
{
"description": "Debian has released security update for openldap to fix the vulnerabilities.<P>",
"displayName": "Debian Security Update for openldap (DLA 2481-1)",
"resourceDetails": {
"id": "/repositories/foo/images/sha256:fb47732ef36b285b1f3fbda69ab8411a430b1dc43823ae33d5992f0295c945f4",
"source": "Azure"
},
"additionalData": {
"assessedResourceType": "ContainerRegistryVulnerability",
"vendorReferences": [
{
"title": "DLA 2481-1",
"link": "https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html"
}
],
"publishedTime": "2020-12-09T13:44:37.0000000Z",
"repositoryName": "foo",
"metadata": {
"isPreview": false
},
"registryHost": "acrtestdev2.azurecr.io",
"patchable": true,
"imageDigest": "sha256:fb47732ef36b285b1f3fbda69ab8411a430b1dc43823ae33d5992f0295c945f4",
"cicdData": {
"status": "Incomplete"
},
"scanner": "Trivy",
"type": "Vulnerability",
"cvss": {
"2.0": {
"cvssVectorString": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C",
"base": 5
},
"3.0": {
"cvssVectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
"base": 7.5
}
},
"cve": [
{
"title": "CVE-2020-25709",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25709"
},
{
"title": "CVE-2020-25710",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25710"
}
],
"imageDetails": {
"osDetails": "Debian Linux 9.3",
"os": "Linux"
}
},
"timeGenerated": "2022-08-11T08:58:48.5588955Z",
"status": {
"severity": "Medium",
"code": "Unhealthy"
},
"remediation": "Refer to Debian LTS Announce <A HREF=\"https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html\" TARGET=\"_blank\">DLA 2481-1</A> to address this issue and obtain further details.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html\" TARGET=\"_blank\">DLA 2481-1:Debian</A>",
"id": "178251",
"category": "Debian",
"impact": "Successful exploitation allows attacker to compromise the system."
}
如何访问 CVE 数组/列表和 output 中的这两个值,例如CVE
?
非常感谢您对此的帮助:[1]: https://i.stack.imgur.com/n6PH2.png
extract()
。properties.additionalData.cve
数组。title
似乎是一个特殊的词,所以使用cve["title"]
(而不是cve.title
,这会导致语法错误)。securityresources
| where type == "microsoft.security/assessments/subassessments"
| parse id with * "assessments/" assessmentKey "/" *
| where assessmentKey == "dbd0cb49-b563-45e7-9724-889e799fa648"
| mv-expand with_itemindex=i cve = properties.additionalData.cve
| extend cve["title"], cve["link"]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.