Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Positive and Negative drifts of controls are always showing 0 change #722

Open
EvgeniaMartynova opened this issue Aug 19, 2019 · 0 comments

Comments

@EvgeniaMartynova
Copy link

EvgeniaMartynova commented Aug 19, 2019

Title

Positive and Negative drifts of controls are always showing 0 change

Description

Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard

Steps to reproduce

Setup Org Policy Monitoring dashboard using a guide here: https://github.com/azsk/DevOpsKit-docs/blob/master/Images/07_OrgPolicy_MonitoringDashboard.png

Expected behavior

Positive and Negative drifts of controls shows actual change across the old and the latest scan.

Actual behavior

Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard. The query always gives 0 change.

//Negative Drift
let ControlResults = customEvents
| where timestamp < ago(2d) and timestamp >= ago(4d)
| where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
| summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
| project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Oldresult =tostring(customDimensions.VerificationResult)
| join
(
    customEvents
    | where timestamp >= ago(2d)
    | where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
    | summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
    | project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Latestresult = tostring(customDimensions.VerificationResult)
)
on customDimensions_SubscriptionId, customDimensions_SubscriptionName,customDimensions_ResourceId, customDimensions_ControlId
| project tostring(customDimensions_SubscriptionId), tostring(customDimensions_SubscriptionName),tostring(customDimensions_ResourceId), tostring(customDimensions_ControlId),Oldresult,Latestresult;
let OldScan = ControlResults
| where Oldresult == "Passed"
| summarize OldScanCount = count() by tostring(customDimensions_ControlId);
let LatestScan = ControlResults
| where Latestresult == "Passed"
| summarize LatestScanCount = count() by tostring(customDimensions_ControlId);
OldScan
| join
(
    LatestScan
)
on customDimensions_ControlId
| project ControlId=tostring(customDimensions_ControlId),OldStatusCount=OldScanCount,LatestStatusCount=LatestScanCount
| where OldStatusCount != LatestStatusCount and LatestStatusCount < OldStatusCount
| extend Change =OldStatusCount-LatestStatusCount
| order by Change desc
| project ControlId,OldStatusCount,LatestStatusCount,Change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant