Create custom security standards and recommendations (AWS/GCP)
Security recommendations in Microsoft Defender for Cloud help you to improve and harden your security posture. Recommendations are based on assessments against security standards defined for Azure subscriptions, AWS accounts, and GCP projects that have Defender for Cloud enabled.
This article describes how to:
- Create custom recommendations for AWS accounts and GCP projects with a KQL query.
- Assign custom recommendations to a custom security standard.
Before you start
- Defender for Cloud currently supports creating custom recommendations for AWS accounts and GCP projects only.
- You need Owner permissions on the subscription to create a new security standard.
- You need Security Admin permissions to create custom recommendations
- To create custom recommendations, you must have the Defender CSPM plan enabled.
- Review support in Azure clouds for custom recommendations.
We recommend watching this episode of Defender for Cloud in the field to learn more about the feature, and dig into creating KQL queries.
Watch this episode of Defender for Cloud in the field to learn more about the feature, and dig into creating KQL queries.
Create a custom recommendation
Create custom recommendations, including steps for remediation, severity, and the standards to which the recommendation should be assigned. You add recommendation logic with KQL. You can use a simple query editor with built-in query templated that you can tweak as needed, or you can write your KQL query from scratch.
In the Defender for Cloud portal > Environment settings, select the relevant AWS account or GCP project.
Select Security policies > + Create > Custom recommendation.
In Recommendation details, fill in the recommendation details (for example: name, severity) and select the standards you want to apply the recommendation to.
In Recommendation query, write a KQL query, or select Open query editor to structure your query. If you want to use the query editor, follow the instructions below.
After the query is ready, select Next.
In Standards, select the custom standards to which you want to add the custom recommendation.
and in Review and create, review the recommendations details.
Use the query editor
We recommend using the query editor to create a recommendation query.
- Using the editor helps you to build and test your query before you start using it.
- Select How to to get help on structuring the query, and additional instructions and links.
- The editor contains examples of built-in recommendations queries, that you can use to help build your own query. The data appears in the same structure as in the API.
in the query editor, select New query to create a query
Use the example query template with its instructions, or select an example built-in recommendation query to get started.
Select Run query to test the query you've created.
When the query is ready, cut and paste it from the editor into the Recommendations query pane.
Create a custom standard
Custom recommendations can be assigned to one or more custom standards.
Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Environment settings.
Select the relevant AWS account.
Select Security policies > + Create > Standard.
In Create new standard, enter a name, description and select recommendations from the drop-down menu.
You can use the following links to learn more about Kusto queries: