//fire up graph explorer in AZ portal and paste query to run
SecurityResources
| where type == "microsoft.security/assessments/subassessments" and properties.additionalData.assessedResourceType=="SqlVirtualMachineVulnerability"   and properties.status.code == "Unhealthy"
| extend resourceId = iff(properties.resourceDetails.id != "", properties.resourceDetails.id, extract("(.+)/providers/Microsoft.Security", 1, id)) // Retrieve the actual resourceId or derive from id
| where resourceId contains "/databases/" // Filter for database-related resources
| extend DatabaseName = tostring(split(resourceId, "/databases/", 1)[0])  // Split by "/databases/" and take the first element (the part *before* "/databases/")
//| extend DatabaseName = tostring(split(DatabaseName, "/")[-1]) // Split again by "/" and get the *last* element (which is the actual database name)
| extend resourceName = properties.resourceDetails.ResourceName // Extract resourceName from the properties field
| extend vulnerability=properties.displayName,
    description=properties.description,
    severity=properties.status.severity,
    threat=properties.additionalData.threat,
    impact=properties.impact,
    fix=properties.remediation,
    vulnId=properties.id,
    App = iff(
    tostring(id) contains "npd" or id contains "iqa" or id contains "txm" or id contains "npd" or id contains "ace" or id contains "chip" or id contains "lab" 
    or id contains "vdi" or id contains "api-shared" ,
    "Non-NIM",
    "NIM"),
     SeverityLevel = case(
    properties.status.severity =="Critical", 1,
    properties.status.severity == "High", 2,
   properties.status.severity == "Medium", 3,
    properties.status.severity == "Low", 4,
    5),
    ScanTime=properties.timeGenerated
|project   App, ScanTime, resourceName, DatabaseName, SeverityLevel, severity,  vulnId,vulnerability,description,impact,fix
| order by tostring(App) asc ,tostring( resourceName) asc, tostring(SeverityLevel) asc, tostring(vulnId) asc