KQL 获取数组中的所有 CVE

Question

我在 Azure Graph Explorer 中运行以下 KQL 查询

securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
| where assessmentKey == "dbd0cb49-b563-45e7-9724-889e799fa648"

这将返回我的原始数据 [Results][1]

如果我单击See details ，我可以看到给定漏洞分配了 2 个 CVE（CVE-2020-25709 和 CVE-2020-25710）

{
    "description": "Debian has released security update for openldap to fix the vulnerabilities.<P>",
    "displayName": "Debian Security Update for openldap (DLA 2481-1)",
    "resourceDetails": {
        "id": "/repositories/foo/images/sha256:fb47732ef36b285b1f3fbda69ab8411a430b1dc43823ae33d5992f0295c945f4",
        "source": "Azure"
    },
    "additionalData": {
        "assessedResourceType": "ContainerRegistryVulnerability",
        "vendorReferences": [
            {
                "title": "DLA 2481-1",
                "link": "https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html"
            }
        ],
        "publishedTime": "2020-12-09T13:44:37.0000000Z",
        "repositoryName": "foo",
        "metadata": {
            "isPreview": false
        },
        "registryHost": "acrtestdev2.azurecr.io",
        "patchable": true,
        "imageDigest": "sha256:fb47732ef36b285b1f3fbda69ab8411a430b1dc43823ae33d5992f0295c945f4",
        "cicdData": {
            "status": "Incomplete"
        },
        "scanner": "Trivy",
        "type": "Vulnerability",
        "cvss": {
            "2.0": {
                "cvssVectorString": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C",
                "base": 5
            },
            "3.0": {
                "cvssVectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
                "base": 7.5
            }
        },
        "cve": [
            {
                "title": "CVE-2020-25709",
                "link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25709"
            },
            {
                "title": "CVE-2020-25710",
                "link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25710"
            }
        ],
        "imageDetails": {
            "osDetails": "Debian Linux 9.3",
            "os": "Linux"
        }
    },
    "timeGenerated": "2022-08-11T08:58:48.5588955Z",
    "status": {
        "severity": "Medium",
        "code": "Unhealthy"
    },
    "remediation": "Refer to Debian LTS Announce <A HREF=\"https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html\" TARGET=\"_blank\">DLA 2481-1</A> to address this issue and obtain further details.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://lists.debian.org/debian-lts-announce/2020/12/msg00008.html\" TARGET=\"_blank\">DLA 2481-1:Debian</A>",
    "id": "178251",
    "category": "Debian",
    "impact": "Successful exploitation allows attacker to compromise the system."
}

如何访问 CVE 数组/列表和 output 中的这两个值，例如CVE ？

非常感谢您对此的帮助：[1]： https://i.stack.imgur.com/n6PH2.png

Answer 1

1. 您可以使用更简单的parse运算符语法来代替extract() 。
2. 使用mv-expand运算符展开properties.additionalData.cve数组。
3. title似乎是一个特殊的词，所以使用cve["title"] （而不是cve.title ，这会导致语法错误）。

---

securityresources
| where type == "microsoft.security/assessments/subassessments"
| parse id with * "assessments/" assessmentKey "/" *
| where assessmentKey == "dbd0cb49-b563-45e7-9724-889e799fa648"
| mv-expand with_itemindex=i cve = properties.additionalData.cve
| extend cve["title"], cve["link"]