Queries for the ADAssessmentRecommendation table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

AD Recommendations by Focus Area

Count all AD reccomendations by focus area.

ADAssessmentRecommendation 
| summarize AggregatedValue = count() by FocusArea  

AD Recommendations by Computer

Count AD recommendations with failed result by computer.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Computer

AD Recommendations by Forest

Count AD recommendations with failed result by forest.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Forest

AD Recommendations by Domain

Count AD recommendations with failed result by domain.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Domain

AD Recommendations by DomainController

Count AD recommendations with failed result by domain controller.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by DomainController

AD Recommendations by AffectedObjectType

Count AD recommendations with failed result by affected object type.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by AffectedObjectType

How many times did each unique AD Recommendation trigger?

Count AD recommendations with failed result by recommendation.

ADAssessmentRecommendation 
| where RecommendationResult == "Failed" 
| summarize AggregatedValue = count() by Recommendation

High priority AD Assessment security recommendations

Latest high priority security recommendation with result failed by recommendation Id.

ADAssessmentRecommendation
| where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35
| summarize arg_max(TimeGenerated, *) by RecommendationId