Create custom recommendations and security standards
Recommendations give you suggestions on how to better secure your resources.
Security standards contain comprehensive sets of security recommendations to help secure your cloud environments.
Security teams can use the readily available recommendations and regulatory standards and also can create their own custom recommendations and standards to meet specific internal requirements in their organization.
Microsoft Defender for Cloud provides the option of creating custom recommendations and standards for AWS and GCP using KQL queries. You can use a query editor to build and test queries over your data.
There are three elements involved when creating and managing custom recommendations:
- Recommendation – contains:
- Recommendation details (name, description, severity, remediation logic, etc.)
- Recommendation logic in KQL.
- The standard it belongs to.
- Standard – defines a set of recommendations.
- Standard assignment – defines the scope that the standard evaluates (for example, specific AWS accounts).
Prerequisites
Aspect | Details |
---|---|
Required/preferred environmental requirements | This preview includes only AWS and GCP recommendations. This feature will be part of the Defender CSPM plan in the future. |
Required roles & permissions | Security Admin |
Clouds: | ![]() ![]() |
Create a custom recommendation
In Microsoft Defender for Cloud, select Environment Settings.
Select the relevant account / project.
Select Standards.
Select Create and then select Recommendation.
Fill in the recommendation details (for example: name, severity) and select the standard/s you'd like to add this recommendation to.
Write a KQL query that defines the recommendation logic. You can write the query in the "recommendation query" text box or use the query editor.
Select Next and review the recommendations details.
Select Save.
Create a custom standard
In Microsoft Defender for Cloud, select Environment Settings.
Select the relevant account / project.
Select Standards.
Select Add and then select Standard.
Fill in a name and description and select the recommendation you want to be included in this standard.
Select Save; the new standard will now be assigned to the account/project you've created it in. You can assign the same standard to other accounts / projects that you have Contributor and up access to.
Create new queries using the query editor
In the query editor you have the ability to run your queries over your raw data (native API calls). To create a new query using the query editor, select the 'open query editor' button. The editor will contain data on all the native APIs we support to help build the queries. The data appears in the same structure as in the API. You can view the results of your query in the Results pane. The How to tab gives you step by step instructions for building your query.
Steps for building a query
The first row of the query should include the environment and resource type. For example: | where Environment == 'AWS' and Identifiers.Type == 'ec2.instance'
The query must contain an "iff" statement that defines the healthy or unhealthy conditions. Use this template and edit only the "condition": "| extend HealthStatus = iff(condition, 'UNHEALTHY','HEALTHY')".
The last row should return all the original columns: "| project Id, Name, Environment, Identifiers, AdditionalData, Record, HealthStatus".
Note
The Record field contains the data structure as it is returned from the AWS / GCP API. Use this field to define conditions which will determine if the resource is healthy or unhealthy.
You can access internal properties of the Record field using a dot notation.
For example: | extend EncryptionType = Record.Encryption.Type.
Additional instructions
- No need to filter records by Timespan. The assessment service filters the most recent records on each run.
- No need to filter by resource ARN, unless intended. The assessment service will run the query on assigned resources.
- If a specific scope is filtered in the assessment query (for example: specific account ID), it will apply on all resources assigned to this query.
- Currently it is not possible to create one recommendation for multiple environments.
Next steps
You can use the following links to learn more about Kusto queries:
Feedback
Submit and view feedback for