Queries for the ADAssessmentRecommendation table

AD Recommendations by Focus Area

Count all AD reccomendations by focus area.

ADAssessmentRecommendation 
| summarize AggregatedValue = count() by FocusArea  

AD Recommendations by Computer

Count AD recommendations with failed result by computer.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Computer

AD Recommendations by Forest

Count AD recommendations with failed result by forest.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Forest

AD Recommendations by Domain

Count AD recommendations with failed result by domain.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Domain

AD Recommendations by DomainController

Count AD recommendations with failed result by domain controller.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by DomainController

AD Recommendations by AffectedObjectType

Count AD recommendations with failed result by affected object type.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by AffectedObjectType

How many times did each unique AD Recommendation trigger?

Count AD recommendations with failed result by recommendation.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Recommendation

High priority AD Assessment security recommendations

Latest high priority security recommendation with result failed by recommendation Id.

ADAssessmentRecommendation
| where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35
| summarize arg_max(TimeGenerated, *) by RecommendationId