Custom Recommendations - Create Or Update

Creates or updates a custom recommendation over a given scope

PUT https://management.azure.com/{scope}/providers/Microsoft.Security/customRecommendations/{customRecommendationName}?api-version=2024-08-01

URI Parameters

Name In Required Type Description
customRecommendationName
path True

string

Name of the Custom Recommendation.

Regex pattern: [{]?[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$

scope
path True

string

The scope of the custom recommendation. Valid scopes are: management group (format: 'providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: 'subscriptions/{subscriptionId}'), or security connector (format: 'subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName})'

api-version
query True

string

The API version to use for this operation.

Request Body

Name Type Description
properties.cloudProviders

RecommendationSupportedClouds[]

List of all standard supported clouds.

properties.description

string

The description to relate to the assessments generated by this Recommendation.

properties.displayName

string

The display name of the assessments generated by this Recommendation.

properties.query

string

KQL query representing the Recommendation results required.

properties.remediationDescription

string

The remediation description to relate to the assessments generated by this Recommendation.

properties.securityIssue

securityIssue

The severity to relate to the assessments generated by this Recommendation.

properties.severity

severityEnum

The severity to relate to the assessments generated by this Recommendation.

Responses

Name Type Description
200 OK

CustomRecommendation

OK - Updated

201 Created

CustomRecommendation

Created

Other Status Codes

ErrorResponse

Error response describing why the operation failed

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or update custom recommendation over management group scope
Create or update custom recommendation over security connector scope
Create or update custom recommendation over subscription scope

Create or update custom recommendation over management group scope

Sample request

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}

Sample response

{
  "id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}
{
  "id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Create or update custom recommendation over security connector scope

Sample request

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}

Sample response

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}
{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Create or update custom recommendation over subscription scope

Sample request

PUT https://management.azure.com/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}

Sample response

{
  "id": "/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}
{
  "id": "/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Definitions

Name Description
createdByType

The type of identity that created the resource.

CustomRecommendation

Custom Recommendation

ErrorAdditionalInfo

The resource management error additional info.

ErrorDetail

The error detail.

ErrorResponse

Error response

RecommendationSupportedClouds

List of all standard supported clouds.

securityIssue

The severity to relate to the assessments generated by this Recommendation.

severityEnum

The severity to relate to the assessments generated by this Recommendation.

systemData

Metadata pertaining to creation and last modification of the resource.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

CustomRecommendation

Custom Recommendation

Name Type Description
id

string

Resource Id

name

string

Resource name

properties.assessmentKey

string

The assessment metadata key used when an assessment is generated for this Recommendation.

properties.cloudProviders

RecommendationSupportedClouds[]

List of all standard supported clouds.

properties.description

string

The description to relate to the assessments generated by this Recommendation.

properties.displayName

string

The display name of the assessments generated by this Recommendation.

properties.query

string

KQL query representing the Recommendation results required.

properties.remediationDescription

string

The remediation description to relate to the assessments generated by this Recommendation.

properties.securityIssue

securityIssue

The severity to relate to the assessments generated by this Recommendation.

properties.severity

severityEnum

The severity to relate to the assessments generated by this Recommendation.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

Resource type

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

ErrorDetail

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

ErrorDetail[]

The error details.

message

string

The error message.

target

string

The error target.

ErrorResponse

Error response

Name Type Description
error

ErrorDetail

The error object.

RecommendationSupportedClouds

List of all standard supported clouds.

Name Type Description
AWS

string

Azure

string

GCP

string

securityIssue

The severity to relate to the assessments generated by this Recommendation.

Name Type Description
AnonymousAccess

string

BestPractices

string

ExcessivePermissions

string

NetworkExposure

string

TrafficEncryption

string

Vulnerability

string

severityEnum

The severity to relate to the assessments generated by this Recommendation.

Name Type Description
High

string

Low

string

Medium

string

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.