CREATE VIEW surveilr_osquery_ms_node_executed_policy AS
WITH ranked_policies AS (
SELECT
json_extract(l.content, '$.surveilrOsQueryMsNodeKey') AS node_key,
l.updated_at,
json_extract(l.content, '$.hostIdentifier') AS host_identifier,
json_extract(l.content, '$.name') AS policy_name,
json_extract(l.content, '$.columns.policy_result') AS policy_result,
ROW_NUMBER() OVER (PARTITION BY json_extract(l.content, '$.name') ORDER BY l.created_at DESC) AS row_num
FROM uniform_resource AS l
WHERE l.uri = 'osquery-ms:query-result'
AND json_extract(l.content, '$.name') IN (
'SSH keys encrypted',
'Full disk encryption enabled (Linux)',
'Full disk encryption enabled (Windows)',
'Full disk encryption enabled (Macos)'
)
)
SELECT
ranked_policies.node_key,
ranked_policies.updated_at,
ranked_policies.host_identifier,
ranked_policies.policy_name,
CASE
WHEN ranked_policies.policy_result = 'true' THEN 'Pass'
ELSE 'Fail'
END AS policy_result,
CASE
WHEN ranked_policies.policy_result = 'true' THEN '-'
ELSE json_extract(c.cell_governance, '$.policy.resolution')
END AS resolution
FROM ranked_policies
JOIN code_notebook_cell c
ON ranked_policies.policy_name = c.cell_name
WHERE ranked_policies.row_num = 1