Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Product feedback

Microsoft
Hi all, We would love for you to share your thoughts, feedback, and experiences using Microsoft Defender for Cloud. 

 

You can share them on Gartner Peer Insights by using this linkYour review will help us get the word out and continue to improve our solution. Thanks! 

 

And if you have any questions or comments, let me know!

4 Replies
Thank you everything is looking good Thank God

@nataliagodyla 

 

Using continuous export to Log Analytics workspace for Security recommendations.

When running query on Log Analytics workspace for recommendation (Endpoint protection should be installed on your machines), the count of (unhealthy , healthy , not applicable) , does not match when comparing it to query using Azure Resource Graph Explorer. It seems Log Analytics workspace does not pick up older records (prior to me enabling continuous export to Log Analytics workspace).
I do get the correct fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).

.................................


// *** Azure Resource Graph Explorer query is below:
securityresources
| where type == "microsoft.security/assessments"
| where displayName == "Endpoint protection should be installed on your machines"

// statusChangeDate: from 2021-08-02 to 2021-11-03

.................................


// *** Log Analytics workspace (LAW) query is below:
SecurityRecommendation
| where RecommendationDisplayName == "Endpoint protection should be installed on your machines"

// statusChangeDate: 11/1/2021

..............................................................................................................................................................................................................


Using continuous export to Event Hub for Security recommendations. Ingested the data into Azure Data Explorer.

I don't get the required fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).

Instead I get these fields (operationName, level, resultType, category, properties, durationMS, callerIpAddress, identity, jobId, jobType, x-opt-enqueued-time)

// *** DATAEXPLORER query is below:
Assessments
| where ['x-opt-enqueued-time'] > ago(1d)
| take 5000

..............................................................................................................................................................................................................

Summary:
Azure Resource Graph Explorer gives me accurate count of records in (Microsoft Defender for Cloud, Recommendations, All recommendations).
Using continuous export to Log Analytics workspace for Security recommendations gives correct fields, but incorrect count of records.
Using continuous export to Event Hub for Security recommendations gives incorrect fields.

What other method/s can I use that will work for me ?
Is it possible for Microsoft to add 'Export to Power BI (M query)' to Azure Resource Graph Explorer ?

@KevinNiko 

This statement of yours is correct "It seems Log Analytics workspace does not pick up older records (prior to me enabling continuous export to Log Analytics workspace)."

Continuous export only starts the exporting the recommendations from the time you have configured it while ARG retain records for some time (I think it's 90 days).

improve the refresh internal some of the updates takes up to 24 hours to refresh in Security center report while performing remediation for a greenfield it increase lots of time to make things look compliance