Custom Recommendations - List
Get a list of all relevant custom recommendations over a scope
GET https://management.azure.com/{scope}/providers/Microsoft.Security/customRecommendations?api-version=2024-08-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
scope
|
path | True |
string |
The scope of the custom recommendation. Valid scopes are: management group (format: 'providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: 'subscriptions/{subscriptionId}'), or security connector (format: 'subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName})' |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK |
|
| Other Status Codes |
Error response describing why the operation failed |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
| List custom recommendations by management group scope |
| List custom recommendations by security connector scope |
| List custom recommendations by subscription scope |
List custom recommendations by management group scope
Sample request
Sample response
{
"value": [
{
"id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/MycustomRecommendation1",
"name": "MycustomRecommendation1",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
},
{
"id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/MycustomRecommendation2",
"name": "MycustomRecommendation2",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
}
]
}List custom recommendations by security connector scope
Sample request
Sample response
{
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/MycustomRecommendation1",
"name": "MycustomRecommendation1",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/MycustomRecommendation2",
"name": "MycustomRecommendation2",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
}
]
}List custom recommendations by subscription scope
Sample request
Sample response
{
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/customRecommendations/MycustomRecommendation1",
"name": "MycustomRecommendation1",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/customRecommendations/MycustomRecommendation2",
"name": "MycustomRecommendation2",
"type": "Microsoft.Security/customRecommendations",
"systemData": {
"createdBy": "user@contoso.com",
"createdByType": "User",
"createdAt": "2021-08-31T13:47:50.328Z",
"lastModifiedBy": "user@contoso.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2021-08-31T13:47:50.328Z"
},
"properties": {
"query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
"cloudProviders": [
"AWS"
],
"severity": "Medium",
"displayName": "Password Policy",
"description": "organization passwords policy",
"remediationDescription": "Change password policy to...",
"assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
"securityIssue": "Vulnerability"
}
}
]
}Definitions
| Name | Description |
|---|---|
|
created |
The type of identity that created the resource. |
|
Custom |
Custom Recommendation |
|
Custom |
A list of Custom Recommendations |
|
Error |
The resource management error additional info. |
|
Error |
The error detail. |
|
Error |
Error response |
|
Recommendation |
List of all standard supported clouds. |
|
security |
The severity to relate to the assessments generated by this Recommendation. |
|
severity |
The severity to relate to the assessments generated by this Recommendation. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
CustomRecommendation
Custom Recommendation
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource Id |
| name |
string |
Resource name |
| properties.assessmentKey |
string |
The assessment metadata key used when an assessment is generated for this Recommendation. |
| properties.cloudProviders |
List of all standard supported clouds. |
|
| properties.description |
string |
The description to relate to the assessments generated by this Recommendation. |
| properties.displayName |
string |
The display name of the assessments generated by this Recommendation. |
| properties.query |
string |
KQL query representing the Recommendation results required. |
| properties.remediationDescription |
string |
The remediation description to relate to the assessments generated by this Recommendation. |
| properties.securityIssue |
The severity to relate to the assessments generated by this Recommendation. |
|
| properties.severity |
The severity to relate to the assessments generated by this Recommendation. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
Resource type |
CustomRecommendationsList
A list of Custom Recommendations
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
The link used to get the next page of operations. |
| value |
Collection of Custom Recommendations |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
ErrorDetail
The error detail.
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
ErrorResponse
Error response
| Name | Type | Description |
|---|---|---|
| error |
The error object. |
RecommendationSupportedClouds
List of all standard supported clouds.
| Name | Type | Description |
|---|---|---|
| AWS |
string |
|
| Azure |
string |
|
| GCP |
string |
securityIssue
The severity to relate to the assessments generated by this Recommendation.
| Name | Type | Description |
|---|---|---|
| AnonymousAccess |
string |
|
| BestPractices |
string |
|
| ExcessivePermissions |
string |
|
| NetworkExposure |
string |
|
| TrafficEncryption |
string |
|
| Vulnerability |
string |
severityEnum
The severity to relate to the assessments generated by this Recommendation.
| Name | Type | Description |
|---|---|---|
| High |
string |
|
| Low |
string |
|
| Medium |
string |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |