Custom Recommendations - Get

Service:

Defender for Cloud

API Version:

2024-08-01

Get a specific custom recommendation for the requested scope by customRecommendationName

GET https://management.azure.com/{scope}/providers/Microsoft.Security/customRecommendations/{customRecommendationName}?api-version=2024-08-01

URI Parameters

Name	In	Required	Type	Description
customRecommendationName	path	True	string pattern: [{]?[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$	Name of the Custom Recommendation.
scope	path	True	string	The fully qualified Azure Resource manager identifier of the resource.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Responses

Name	Type	Description
200 OK	CustomRecommendation	Azure operation completed successfully.
Other Status Codes	ErrorResponse	An unexpected error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Get a custom recommendation over management group scope

Get a custom recommendation over security connector scope

Get a custom recommendation over subscription scope

Get a custom recommendation over management group scope

Sample request

HTTP

GET https://management.azure.com/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8?api-version=2024-08-01

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: 2024-08-01/CustomRecommendations/GetByManagementGroupCustomRecommendation_example.json
func ExampleCustomRecommendationsClient_Get_getACustomRecommendationOverManagementGroupScope() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewCustomRecommendationsClient().Get(ctx, "providers/Microsoft.Management/managementGroups/contoso", "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armsecurity.CustomRecommendationsClientGetResponse{
	// 	CustomRecommendation: armsecurity.CustomRecommendation{
	// 		Name: to.Ptr("1f3afdf9-d0c9-4c3d-847f-89da613e70a8"),
	// 		Type: to.Ptr("Microsoft.Security/customRecommendations"),
	// 		ID: to.Ptr("/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"),
	// 		Properties: &armsecurity.CustomRecommendationProperties{
	// 			Description: to.Ptr("organization passwords policy"),
	// 			AssessmentKey: to.Ptr("d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb"),
	// 			CloudProviders: []*armsecurity.RecommendationSupportedClouds{
	// 				to.Ptr(armsecurity.RecommendationSupportedCloudsAWS),
	// 			},
	// 			DisplayName: to.Ptr("Password Policy"),
	// 			Query: to.Ptr("RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')"),
	// 			RemediationDescription: to.Ptr("Change password policy to..."),
	// 			SecurityIssue: to.Ptr(armsecurity.SecurityIssueVulnerability),
	// 			Severity: to.Ptr(armsecurity.SeverityEnumMedium),
	// 		},
	// 		SystemData: &armsecurity.SystemData{
	// 			CreatedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			CreatedBy: to.Ptr("user@contoso.com"),
	// 			CreatedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 			LastModifiedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			LastModifiedBy: to.Ptr("user@contoso.com"),
	// 			LastModifiedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "name": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
  "type": "Microsoft.Security/customRecommendations",
  "id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
  "properties": {
    "description": "organization passwords policy",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "cloudProviders": [
      "AWS"
    ],
    "displayName": "Password Policy",
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability",
    "severity": "Medium"
  },
  "systemData": {
    "createdAt": "2021-08-31T13:47:50.328Z",
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User"
  }
}

Get a custom recommendation over security connector scope

Sample request

HTTP

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8?api-version=2024-08-01

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: 2024-08-01/CustomRecommendations/GetBySecurityConnectorCustomRecommendation_example.json
func ExampleCustomRecommendationsClient_Get_getACustomRecommendationOverSecurityConnectorScope() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewCustomRecommendationsClient().Get(ctx, "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector", "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armsecurity.CustomRecommendationsClientGetResponse{
	// 	CustomRecommendation: armsecurity.CustomRecommendation{
	// 		Name: to.Ptr("MycustomRecommendation1"),
	// 		Type: to.Ptr("Microsoft.Security/customRecommendations"),
	// 		ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/MycustomRecommendation1"),
	// 		Properties: &armsecurity.CustomRecommendationProperties{
	// 			Description: to.Ptr("organization passwords policy"),
	// 			AssessmentKey: to.Ptr("d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb"),
	// 			CloudProviders: []*armsecurity.RecommendationSupportedClouds{
	// 				to.Ptr(armsecurity.RecommendationSupportedCloudsAWS),
	// 			},
	// 			DisplayName: to.Ptr("Password Policy"),
	// 			Query: to.Ptr("RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')"),
	// 			RemediationDescription: to.Ptr("Change password policy to..."),
	// 			SecurityIssue: to.Ptr(armsecurity.SecurityIssueVulnerability),
	// 			Severity: to.Ptr(armsecurity.SeverityEnumMedium),
	// 		},
	// 		SystemData: &armsecurity.SystemData{
	// 			CreatedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			CreatedBy: to.Ptr("user@contoso.com"),
	// 			CreatedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 			LastModifiedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			LastModifiedBy: to.Ptr("user@contoso.com"),
	// 			LastModifiedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "name": "MycustomRecommendation1",
  "type": "Microsoft.Security/customRecommendations",
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/MycustomRecommendation1",
  "properties": {
    "description": "organization passwords policy",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "cloudProviders": [
      "AWS"
    ],
    "displayName": "Password Policy",
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability",
    "severity": "Medium"
  },
  "systemData": {
    "createdAt": "2021-08-31T13:47:50.328Z",
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User"
  }
}

Get a custom recommendation over subscription scope

Sample request

HTTP

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8?api-version=2024-08-01

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: 2024-08-01/CustomRecommendations/GetBySubscriptionCustomRecommendation_example.json
func ExampleCustomRecommendationsClient_Get_getACustomRecommendationOverSubscriptionScope() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewCustomRecommendationsClient().Get(ctx, "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23", "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armsecurity.CustomRecommendationsClientGetResponse{
	// 	CustomRecommendation: armsecurity.CustomRecommendation{
	// 		Name: to.Ptr("1f3afdf9-d0c9-4c3d-847f-89da613e70a8"),
	// 		Type: to.Ptr("Microsoft.Security/customRecommendations"),
	// 		ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"),
	// 		Properties: &armsecurity.CustomRecommendationProperties{
	// 			Description: to.Ptr("organization passwords policy"),
	// 			AssessmentKey: to.Ptr("d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb"),
	// 			CloudProviders: []*armsecurity.RecommendationSupportedClouds{
	// 				to.Ptr(armsecurity.RecommendationSupportedCloudsAWS),
	// 			},
	// 			DisplayName: to.Ptr("Password Policy"),
	// 			Query: to.Ptr("RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')"),
	// 			RemediationDescription: to.Ptr("Change password policy to..."),
	// 			SecurityIssue: to.Ptr(armsecurity.SecurityIssueVulnerability),
	// 			Severity: to.Ptr(armsecurity.SeverityEnumMedium),
	// 		},
	// 		SystemData: &armsecurity.SystemData{
	// 			CreatedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			CreatedBy: to.Ptr("user@contoso.com"),
	// 			CreatedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 			LastModifiedAt: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2021-08-31T13:47:50.328Z"); return t}()),
	// 			LastModifiedBy: to.Ptr("user@contoso.com"),
	// 			LastModifiedByType: to.Ptr(armsecurity.CreatedByTypeUser),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "name": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
  "type": "Microsoft.Security/customRecommendations",
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/customRecommendations/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
  "properties": {
    "description": "organization passwords policy",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "cloudProviders": [
      "AWS"
    ],
    "displayName": "Password Policy",
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability",
    "severity": "Medium"
  },
  "systemData": {
    "createdAt": "2021-08-31T13:47:50.328Z",
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User"
  }
}

Definitions

Name	Description
createdByType	The type of identity that created the resource.
CustomRecommendation	Custom Recommendation
ErrorAdditionalInfo	The resource management error additional info.
ErrorDetail	The error detail.
ErrorResponse	Error response
RecommendationSupportedClouds	The cloud that the recommendation is supported on.
SecurityIssue	The severity to relate to the assessments generated by this Recommendation.
SeverityEnum	The severity to relate to the assessments generated by this Recommendation.
systemData	Metadata pertaining to creation and last modification of the resource.

createdByType

Enumeration

The type of identity that created the resource.

Value	Description
User
Application
ManagedIdentity
Key

CustomRecommendation

Object

Custom Recommendation

Name	Type	Default value	Description
id	string (arm-id)		Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
name	string		The name of the resource
properties.assessmentKey	string		The assessment metadata key used when an assessment is generated for this Recommendation.
properties.cloudProviders	RecommendationSupportedClouds[]		List of all standard supported clouds.
properties.description	string		The description to relate to the assessments generated by this Recommendation.
properties.displayName	string		The display name of the assessments generated by this Recommendation.
properties.query	string		KQL query representing the Recommendation results required.
properties.remediationDescription	string		The remediation description to relate to the assessments generated by this Recommendation.
properties.securityIssue	SecurityIssue	BestPractices	The severity to relate to the assessments generated by this Recommendation.
properties.severity	SeverityEnum	Low	The severity to relate to the assessments generated by this Recommendation.
systemData	systemData		Azure Resource Manager metadata containing createdBy and modifiedBy information.
type	string		The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

ErrorAdditionalInfo

Object

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

ErrorDetail

Object

The error detail.

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	ErrorDetail[]	The error details.
message	string	The error message.
target	string	The error target.

ErrorResponse

Object

Error response

Name	Type	Description
error	ErrorDetail	The error object.

RecommendationSupportedClouds

Enumeration

The cloud that the recommendation is supported on.

Value	Description
Azure	Azure
AWS	AWS
GCP	GCP

SecurityIssue

Enumeration

The severity to relate to the assessments generated by this Recommendation.

Value	Description
Vulnerability	Vulnerability
ExcessivePermissions	ExcessivePermissions
AnonymousAccess	AnonymousAccess
NetworkExposure	NetworkExposure
TrafficEncryption	TrafficEncryption
BestPractices	BestPractices

SeverityEnum

Enumeration

The severity to relate to the assessments generated by this Recommendation.

Value	Description
High	High
Medium	Medium
Low	Low

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string (date-time)	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string (date-time)	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.