Policy Scanning

jacob_horning · October 21, 2020, 2:30pm

Hello All,

In returning information about our policy scanning I cannot find something in particular in the datawarehouse schema. I would like to return to the specific policy that we tested on such as password policy and so on… All I can find is that it returns an integer and I would like the actual name itself. I was thinking it would be in the dim_policy_group, but sub_groups only has an integer value and not a name value. Any help with this would be appreciated.

Thanks,

Jacob

tyler_schmidtke · October 21, 2020, 7:06pm

Hi @jacob_horning,

Are you using the fact_asset_policy_rule and dim_policy_rule tables. It seems like they may get you the data that you’re looking for. The fact_asset_policy_rule table has the actual asset -> rule association.

jacob_horning · October 21, 2020, 7:11pm

@tyler_schmidtke

Yes, I looked more into it and I can get the specific check. I was hoping I could get something like Account Policy, or Local policies - like the way they have on the interface.

tyler_schmidtke · October 21, 2020, 9:21pm

Gotcha. I think that may be the parent_group_id on dim_policy_rule. The tricky part here is that the parent groups can be nested (rather deep) so to get the root you need to join from the base down to the level for that particular rule.

The subquery in the WITH statement here is what gets the full tree for each particular group. The coalesce is used to get the first group_id that isn’t null, going backwards so that we get the most nested one (and the one to which the specific rule applies for our join). That subquery is then joined on the policy rules.

I tested the subquery to see how deeply nested things where, there are at most seven levels of group nesting so this should cover it.

WITH policy_groups AS (
    SELECT coalesce(dpg7.group_id, dpg6.group_id, dpg5.group_id, dpg4.group_id, dpg3.group_id, dpg2.group_id,
                    dpg1.group_id) AS group_id,
           dpg1.title              AS first_group,
           dpg2.title              AS second_group,
           dpg3.title              AS third_group,
           dpg4.title              AS fourth_group,
           dpg5.title              AS fifth_group,
           dpg6.title              AS sixth_group,
           dpg7.title              AS seventh_group
    FROM dim_policy_group dpg1
             JOIN dim_policy_group dpg2 ON dpg1.group_id = dpg2.parent_group_id
             LEFT JOIN dim_policy_group dpg3 ON dpg2.group_id = dpg3.parent_group_id
             LEFT JOIN dim_policy_group dpg4 ON dpg3.group_id = dpg4.parent_group_id
             LEFT JOIN dim_policy_group dpg5 ON dpg4.group_id = dpg5.parent_group_id
             LEFT JOIN dim_policy_group dpg6 ON dpg5.group_id = dpg6.parent_group_id
             LEFT JOIN dim_policy_group dpg7 ON dpg6.group_id = dpg7.parent_group_id
)
select da.asset_id,
       da.ip_address,
       pg.first_group,
       pg.second_group,
       pg.third_group,
       pg.fourth_group,
       pg.fifth_group,
       pg.sixth_group,
       pg.seventh_group,
       dpr.title,
       fapr.status,
       fapr.date_tested
FROM dim_asset da
         JOIN fact_asset_policy_rule fapr ON da.asset_id = fapr.asset_id
         JOIN dim_policy_rule dpr ON fapr.policy_id = dpr.policy_id
         JOIN policy_groups pg ON dpr.parent_group_id = pg.group_id;

Can you give that a go?

jacob_horning · October 22, 2020, 12:11pm

@tyler_schmidtke

Yes, This was exactly what I was looking for thank you so much!

jacob_horning · March 8, 2021, 2:33pm

@tyler_schmidtke
Hello,

I was hoping there was a possibility to get these same exact results in the console SQL query. Looking at the schema I have no idea to connect dim_policy_result_status for a specific asset_id and get all of the policies we scanned against. I know in the query above that fact_asset_policy_rule connects everything, but it doesn’t seem like that table exists. Thank you so much for your help.

tyler_schmidtke · March 9, 2021, 3:20pm

@jacob_horning, you are correct. the table structure is a bit different in the reporting data model. This SHOULD be the equivalent query. There’s a status_id and associated status table added as the third join.

WITH policy_groups AS (
    SELECT coalesce(dpg7.group_id, dpg6.group_id, dpg5.group_id, dpg4.group_id, dpg3.group_id, dpg2.group_id,
                    dpg1.group_id) AS group_id,
           dpg1.title              AS first_group,
           dpg2.title              AS second_group,
           dpg3.title              AS third_group,
           dpg4.title              AS fourth_group,
           dpg5.title              AS fifth_group,
           dpg6.title              AS sixth_group,
           dpg7.title              AS seventh_group
    FROM dim_policy_group dpg1
             JOIN dim_policy_group dpg2 ON dpg1.group_id = dpg2.parent_group_id
             LEFT JOIN dim_policy_group dpg3 ON dpg2.group_id = dpg3.parent_group_id
             LEFT JOIN dim_policy_group dpg4 ON dpg3.group_id = dpg4.parent_group_id
             LEFT JOIN dim_policy_group dpg5 ON dpg4.group_id = dpg5.parent_group_id
             LEFT JOIN dim_policy_group dpg6 ON dpg5.group_id = dpg6.parent_group_id
             LEFT JOIN dim_policy_group dpg7 ON dpg6.group_id = dpg7.parent_group_id
)
select da.asset_id,
       da.ip_address,
       pg.first_group,
       pg.second_group,
       pg.third_group,
       pg.fourth_group,
       pg.fifth_group,
       pg.sixth_group,
       pg.seventh_group,
       dpr.title,
       dprs.description AS status,
       fapr.date_tested
FROM dim_asset da
         JOIN fact_asset_policy_rule fapr ON da.asset_id = fapr.asset_id
         JOIN dim_policy_rule dpr ON fapr.policy_id = dpr.policy_id
         JOIN dim_policy_result_status dprs ON dprs.status_id = fapr.status_id
         JOIN policy_groups pg ON dpr.parent_group_id = pg.group_id;

jacob_horning · March 9, 2021, 4:03pm

@tyler_schmidtke

Thank you so much it works perfectly. Also, my other post on here was regarding this I forgot we already had a thread going so you can ignore that.