Custom Recommendations - Create Or Update

Service:: Defender for Cloud

API Version:: 2024-08-01

Creates or updates a custom recommendation over a given scope

PUT https://management.azure.com/{scope}/providers/Microsoft.Security/customRecommendations/{customRecommendationName}?api-version=2024-08-01

URI Parameters

Name	In	Required	Type	Description
customRecommendationName	path	True	string pattern: [{]?[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$	Name of the Custom Recommendation.
scope	path	True	string	The scope of the custom recommendation. Valid scopes are: management group (format: 'providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: 'subscriptions/{subscriptionId}'), or security connector (format: 'subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/securityConnectors/{securityConnectorName})'
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Type	Description
properties.cloudProviders	RecommendationSupportedClouds[]	List of all standard supported clouds.
properties.description	string	The description to relate to the assessments generated by this Recommendation.
properties.displayName	string	The display name of the assessments generated by this Recommendation.
properties.query	string	KQL query representing the Recommendation results required.
properties.remediationDescription	string	The remediation description to relate to the assessments generated by this Recommendation.
properties.securityIssue	securityIssue	The severity to relate to the assessments generated by this Recommendation.
properties.severity	severityEnum	The severity to relate to the assessments generated by this Recommendation.

Responses

Name	Type	Description
200 OK	CustomRecommendation	OK - Updated
201 Created	CustomRecommendation	Created
Other Status Codes	ErrorResponse	Error response describing why the operation failed

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Create or update custom recommendation over management group scope

Create or update custom recommendation over security connector scope

Create or update custom recommendation over subscription scope

Create or update custom recommendation over management group scope

Sample request

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}


import com.azure.resourcemanager.security.models.RecommendationSupportedClouds;
import com.azure.resourcemanager.security.models.SecurityIssue;
import com.azure.resourcemanager.security.models.SeverityEnum;
import java.util.Arrays;

/**
 * Samples for CustomRecommendations CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/
     * PutByManagementGroupCustomRecommendation_example.json
     */
    /**
     * Sample code: Create or update custom recommendation over management group scope.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void createOrUpdateCustomRecommendationOverManagementGroupScope(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager.customRecommendations().define("33e7cc6e-a139-4723-a0e5-76993aee0771")
            .withExistingScope("providers/Microsoft.Management/managementGroups/contoso")
            .withQuery(
                "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')")
            .withCloudProviders(Arrays.asList(RecommendationSupportedClouds.AWS)).withSeverity(SeverityEnum.MEDIUM)
            .withSecurityIssue(SecurityIssue.VULNERABILITY).withDisplayName("Password Policy")
            .withDescription("organization passwords policy").withRemediationDescription("Change password policy to...")
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.security import SecurityCenter

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-security
# USAGE
    python put_by_management_group_custom_recommendation_example.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SecurityCenter(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.custom_recommendations.create_or_update(
        scope="providers/Microsoft.Management/managementGroups/contoso",
        custom_recommendation_name="33e7cc6e-a139-4723-a0e5-76993aee0771",
        custom_recommendation_body={
            "properties": {
                "cloudProviders": ["AWS"],
                "description": "organization passwords policy",
                "displayName": "Password Policy",
                "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
                "remediationDescription": "Change password policy to...",
                "securityIssue": "Vulnerability",
                "severity": "Medium",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/PutByManagementGroupCustomRecommendation_example.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Status code:: 201

{
  "id": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Create or update custom recommendation over security connector scope

Sample request

PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}


import com.azure.resourcemanager.security.models.RecommendationSupportedClouds;
import com.azure.resourcemanager.security.models.SecurityIssue;
import com.azure.resourcemanager.security.models.SeverityEnum;
import java.util.Arrays;

/**
 * Samples for CustomRecommendations CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/
     * PutBySecurityConnectorCustomRecommendation_example.json
     */
    /**
     * Sample code: Create or update custom recommendation over security connector scope.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void createOrUpdateCustomRecommendationOverSecurityConnectorScope(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager.customRecommendations().define("33e7cc6e-a139-4723-a0e5-76993aee0771").withExistingScope(
            "subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector")
            .withQuery(
                "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')")
            .withCloudProviders(Arrays.asList(RecommendationSupportedClouds.AWS)).withSeverity(SeverityEnum.MEDIUM)
            .withSecurityIssue(SecurityIssue.VULNERABILITY).withDisplayName("Password Policy")
            .withDescription("organization passwords policy").withRemediationDescription("Change password policy to...")
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.security import SecurityCenter

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-security
# USAGE
    python put_by_security_connector_custom_recommendation_example.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SecurityCenter(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.custom_recommendations.create_or_update(
        scope="subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector",
        custom_recommendation_name="33e7cc6e-a139-4723-a0e5-76993aee0771",
        custom_recommendation_body={
            "properties": {
                "cloudProviders": ["AWS"],
                "description": "organization passwords policy",
                "displayName": "Password Policy",
                "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
                "remediationDescription": "Change password policy to...",
                "securityIssue": "Vulnerability",
                "severity": "Medium",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/PutBySecurityConnectorCustomRecommendation_example.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Status code:: 201

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/gcpResourceGroup/providers/Microsoft.Security/securityConnectors/gcpconnector/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Create or update custom recommendation over subscription scope

Sample request

PUT https://management.azure.com/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771?api-version=2024-08-01

{
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "securityIssue": "Vulnerability"
  }
}


import com.azure.resourcemanager.security.models.RecommendationSupportedClouds;
import com.azure.resourcemanager.security.models.SecurityIssue;
import com.azure.resourcemanager.security.models.SeverityEnum;
import java.util.Arrays;

/**
 * Samples for CustomRecommendations CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/
     * PutBySubscriptionCustomRecommendation_example.json
     */
    /**
     * Sample code: Create or update custom recommendation over subscription scope.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void createOrUpdateCustomRecommendationOverSubscriptionScope(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager.customRecommendations().define("33e7cc6e-a139-4723-a0e5-76993aee0771")
            .withExistingScope("subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b")
            .withQuery(
                "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')")
            .withCloudProviders(Arrays.asList(RecommendationSupportedClouds.AWS)).withSeverity(SeverityEnum.MEDIUM)
            .withSecurityIssue(SecurityIssue.VULNERABILITY).withDisplayName("Password Policy")
            .withDescription("organization passwords policy").withRemediationDescription("Change password policy to...")
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.security import SecurityCenter

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-security
# USAGE
    python put_by_subscription_custom_recommendation_example.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SecurityCenter(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.custom_recommendations.create_or_update(
        scope="subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b",
        custom_recommendation_name="33e7cc6e-a139-4723-a0e5-76993aee0771",
        custom_recommendation_body={
            "properties": {
                "cloudProviders": ["AWS"],
                "description": "organization passwords policy",
                "displayName": "Password Policy",
                "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
                "remediationDescription": "Change password policy to...",
                "securityIssue": "Vulnerability",
                "severity": "Medium",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2024-08-01/examples/CustomRecommendations/PutBySubscriptionCustomRecommendation_example.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Status code:: 201

{
  "id": "/subscriptions/e5d1b86c-3051-44d5-8802-aa65d45a279b/providers/Microsoft.Security/customRecommendations/33e7cc6e-a139-4723-a0e5-76993aee0771",
  "name": "33e7cc6e-a139-4723-a0e5-76993aee0771",
  "type": "Microsoft.Security/customRecommendations",
  "systemData": {
    "createdBy": "user@contoso.com",
    "createdByType": "User",
    "createdAt": "2021-08-31T13:47:50.328Z",
    "lastModifiedBy": "user@contoso.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-08-31T13:47:50.328Z"
  },
  "properties": {
    "query": "RawEntityMetadata | where Environment == 'GCP' and Identifiers.Type == 'compute.firewalls' | extend IslogConfigEnabled = tobool(Record.logConfig.enable) | extend HealthStatus = iff(IslogConfigEnabled, 'HEALTHY', 'UNHEALTHY')",
    "cloudProviders": [
      "AWS"
    ],
    "severity": "Medium",
    "displayName": "Password Policy",
    "description": "organization passwords policy",
    "remediationDescription": "Change password policy to...",
    "assessmentKey": "d5f442f7-7e77-4bcf-a450-a9c1b9a94eeb",
    "securityIssue": "Vulnerability"
  }
}

Definitions

Name	Description
createdByType	The type of identity that created the resource.
CustomRecommendation	Custom Recommendation
ErrorAdditionalInfo	The resource management error additional info.
ErrorDetail	The error detail.
ErrorResponse	Error response
RecommendationSupportedClouds	List of all standard supported clouds.
securityIssue	The severity to relate to the assessments generated by this Recommendation.
severityEnum	The severity to relate to the assessments generated by this Recommendation.
systemData	Metadata pertaining to creation and last modification of the resource.

createdByType

Enumeration

The type of identity that created the resource.

Value	Description
User
Application
ManagedIdentity
Key