This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 7.000000000000001%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Using continuous export to Log Analytics workspace for Security recommendations.
When running query on Log Analytics workspace for recommendation (Endpoint protection should be installed on your machines), the count of (unhealthy , healthy , not applicable) , does not match when comparing it to query using Azure Resource Graph Explorer. It seems Log Analytics workspace does not pick up older records (prior to me enabling continuous export to Log Analytics workspace).
I do get the correct fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).
.................................
// *** Azure Resource Graph Explorer query is below:
securityresources
| where type == "microsoft.security/assessments"
| where displayName == "Endpoint protection should be installed on your machines"
// statusChangeDate: from 2021-08-02 to 2021-11-03
.................................
// *** Log Analytics workspace (LAW) query is below:
SecurityRecommendation
| where RecommendationDisplayName == "Endpoint protection should be installed on your machines"
// statusChangeDate: 11/1/2021
..............................................................................................................................................................................................................
Using continuous export to Event Hub for Security recommendations. Ingested the data into Azure Data Explorer.
I don't get the required fields (RecommendationDisplayName, RecommendationName, RecommendationState, Description, RemediationDescription).
Instead I get these fields (operationName, level, resultType, category, properties, durationMS, callerIpAddress, identity, jobId, jobType, x-opt-enqueued-time)
// *** DATAEXPLORER query is below:
Assessments
| where ['x-opt-enqueued-time'] > ago(1d)
| take 5000
..............................................................................................................................................................................................................
Summary:
Azure Resource Graph Explorer gives me accurate count of records in (Microsoft Defender for Cloud, Recommendations, All recommendations).
Using continuous export to Log Analytics workspace for Security recommendations gives correct fields, but incorrect count of records.
Using continuous export to Event Hub for Security recommendations gives incorrect fields.
What other method/s can I use that will work for me ?
Hi @ALVIN LEUNG (CLOUD-ISD-OOCLL/HKG) ,
Your problem needs to be investigated. Please open a support ticket via azure portal