Forum Discussion

nataliagodyla's avatar
nataliagodyla
Icon for Microsoft rankMicrosoft
Jun 22, 2021

Product feedback

Hi all, We would love for you to share your thoughts, feedback, and experiences using Microsoft Defender for Cloud.    You can share them on Gartner Peer Insights by using this link. Your rev...
KevinNiko's avatar
KevinNiko
Copper Contributor

nataliagodyla 

 

Using continuous export to Log Analytics workspace for Security recommendations.

When running query on Log Analytics workspace for recommendation (Endpoint protection should be installed on your machines), the count of (unhealthy , healthy , not applicable) , does not match when comparing it to query using Azure Resource Graph Explorer. It seems Log Analytics workspace does not pick up older records (prior to me enabling continuous export to Log Analytics workspace).
I do get the correct fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).

.................................


// *** Azure Resource Graph Explorer query is below:
securityresources
| where type == "microsoft.security/assessments"
| where displayName == "Endpoint protection should be installed on your machines"

// statusChangeDate: from 2021-08-02 to 2021-11-03

.................................


// *** Log Analytics workspace (LAW) query is below:
SecurityRecommendation
| where RecommendationDisplayName == "Endpoint protection should be installed on your machines"

// statusChangeDate: 11/1/2021

..............................................................................................................................................................................................................


Using continuous export to Event Hub for Security recommendations. Ingested the data into Azure Data Explorer.

I don't get the required fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).

Instead I get these fields (operationName, level, resultType, category, properties, durationMS, callerIpAddress, identity, jobId, jobType, x-opt-enqueued-time)

// *** DATAEXPLORER query is below:
Assessments
| where ['x-opt-enqueued-time'] > ago(1d)
| take 5000

..............................................................................................................................................................................................................

Summary:
Azure Resource Graph Explorer gives me accurate count of records in (Microsoft Defender for Cloud, Recommendations, All recommendations).
Using continuous export to Log Analytics workspace for Security recommendations gives correct fields, but incorrect count of records.
Using continuous export to Event Hub for Security recommendations gives incorrect fields.

What other method/s can I use that will work for me ?
Is it possible for Microsoft to add 'Export to Power BI (M query)' to Azure Resource Graph Explorer ?

Eli's avatar
Eli
Icon for Microsoft rankMicrosoft
Dec 06, 2021

KevinNiko 

This statement of yours is correct "It seems Log Analytics workspace does not pick up older records (prior to me enabling continuous export to Log Analytics workspace)."

Continuous export only starts the exporting the recommendations from the time you have configured it while ARG retain records for some time (I think it's 90 days).

Share