SOLVED
Home

Azure Security Center Recommendations Log Analytics Query syntax

%3CLINGO-SUB%20id%3D%22lingo-sub-210731%22%20slang%3D%22en-US%22%3EAzure%20Security%20Center%20Recommendations%20Log%20Analytics%20Query%20syntax%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-210731%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20someone%20point%20me%20in%20the%20direction%20of%20a%20resource%20that%20provides%20a%20mapping%20of%20the%20recommendations%20in%20Security%20Center%20with%26nbsp%3Btheassociated%20Log%20Analytics%20query%20syntax%3F%20For%20example%20SC%20lists%20all%20of%20the%20machines%20that%20are%20not%20compliant%20with%20the%20recommendations%20in%20list%20below.%20I%20need%20to%20extract%20these%20results%20out%20into%20a%20spreadsheet%20and%20cannot%20see%20how%20to%20do%20this%20other%20than%20maybe%20running%20a%20query%20in%20Log%20analytics%3F%20If%20so%20does%20anyone%20know%20of%20a%20listing%20of%20these%20queries%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EDesignate%20more%20than%20one%20owner%20on%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3EEnable%20MFA%20for%20accounts%20with%20owner%20permissions%20on%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3EEndpoint%20Protection%20not%20installed%20on%20Azure%20VMs%3C%2FLI%3E%3CLI%3EEnable%20Auditing%20on%20SQL%20servers%3C%2FLI%3E%3CLI%3EApply%20a%20Just-In-Time%20network%20access%20control%3C%2FLI%3E%3CLI%3EEnable%20Auditing%20on%20SQL%20databases%3C%2FLI%3E%3CLI%3EApply%20system%20updates%3C%2FLI%3E%3CLI%3EApply%20disk%20encryption%3C%2FLI%3E%3CLI%3ECORS%20should%20not%20allow%20every%20resource%20to%20access%20your%20Web%20Application%20(Preview)%3C%2FLI%3E%3CLI%3EConfigure%20IP%20restrictions%20for%20Web%20Application%20(Preview)%3C%2FLI%3E%3CLI%3EEnable%20MFA%20for%20accounts%20with%20write%20permissions%20on%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3EWeb%20Application%20should%20only%20be%20accessible%20over%20HTTPS%20(Preview)%3C%2FLI%3E%3CLI%3EWeb%20Sockets%20should%20be%20disabled%20for%20Web%20Application%20(Preview)%3C%2FLI%3E%3CLI%3ERestrict%20access%20through%20Internet%20facing%20endpoint%3C%2FLI%3E%3CLI%3EAdd%20a%20vulnerability%20assessment%20solution%3C%2FLI%3E%3CLI%3EEnable%20Transparent%20Data%20Encryption%3C%2FLI%3E%3CLI%3EReboot%20after%20system%20updates%3C%2FLI%3E%3CLI%3EEnable%20MFA%20for%20accounts%20with%20read%20permissions%20on%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3ERemove%20deprecated%20accounts%20from%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3ERemove%20external%20accounts%20with%20read%20permissions%20from%20your%20subscription%20(Preview)%3C%2FLI%3E%3CLI%3EUse%20custom%20domains%20for%20Web%20Application%20(Preview)%3C%2FLI%3E%3CLI%3EUse%20the%20latest%20supported%20PHP%20version%20for%20Web%20Application%20(Preview)%3C%2FLI%3E%3CLI%3ERemediate%20security%20configurations%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-210731%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217352%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20Recommendations%20Log%20Analytics%20Query%20syntax%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217352%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EASC%20recommendations%20for%20Azure%20resources%20are%20not%20available%20as%20data%20in%20Log%20Analytics.%20Best%20option%20is%20to%20use%20unofficial%20ASC%20PowerShell%20module%20%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FAzure-Security-Center%2F0.0.22%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure-Security-Center%3C%2FA%3E.%20You%20can%20use%20Get-ASCTask%20to%20get%20recommendations%20on%20resources.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213248%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20Recommendations%20Log%20Analytics%20Query%20syntax%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213248%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EOn%20the%20Log%20Analytics%20portal%2C%20on%20the%20upper-right%20area%2C%20you%20can%20find%20the%20query%20explorer%2C%20and%20in%20it%20selected%20solution%20queries%20for%20your%20convenience%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20425px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37234i1BCABBB545F5E852%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22query%20explorer.png%22%20title%3D%22query%20explorer.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EHTH%2C%3C%2FP%3E%0A%3CP%3ENoa%3C%2FP%3E%3C%2FLINGO-BODY%3E
Pen Cart
Occasional Visitor

Hi

 

Could someone point me in the direction of a resource that provides a mapping of the recommendations in Security Center with theassociated Log Analytics query syntax? For example SC lists all of the machines that are not compliant with the recommendations in list below. I need to extract these results out into a spreadsheet and cannot see how to do this other than maybe running a query in Log analytics? If so does anyone know of a listing of these queries?

 

  • Designate more than one owner on your subscription (Preview)
  • Enable MFA for accounts with owner permissions on your subscription (Preview)
  • Endpoint Protection not installed on Azure VMs
  • Enable Auditing on SQL servers
  • Apply a Just-In-Time network access control
  • Enable Auditing on SQL databases
  • Apply system updates
  • Apply disk encryption
  • CORS should not allow every resource to access your Web Application (Preview)
  • Configure IP restrictions for Web Application (Preview)
  • Enable MFA for accounts with write permissions on your subscription (Preview)
  • Web Application should only be accessible over HTTPS (Preview)
  • Web Sockets should be disabled for Web Application (Preview)
  • Restrict access through Internet facing endpoint
  • Add a vulnerability assessment solution
  • Enable Transparent Data Encryption
  • Reboot after system updates
  • Enable MFA for accounts with read permissions on your subscription (Preview)
  • Remove deprecated accounts from your subscription (Preview)
  • Remove external accounts with read permissions from your subscription (Preview)
  • Use custom domains for Web Application (Preview)
  • Use the latest supported PHP version for Web Application (Preview)
  • Remediate security configurations

Thanks

2 Replies

Hi,

On the Log Analytics portal, on the upper-right area, you can find the query explorer, and in it selected solution queries for your convenience:

query explorer.png

HTH,

Noa

Solution

Hi

ASC recommendations for Azure resources are not available as data in Log Analytics. Best option is to use unofficial ASC PowerShell module Azure-Security-Center. You can use Get-ASCTask to get recommendations on resources.