Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for SecurityRecommendation table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Security |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AssessedResourceId | string | |
| Description | string | |
| DeviceId | string | |
| DiscoveredTimeUTC | datetime | |
| Environment | string | |
| FirstEvaluationDate | datetime | |
| IsSnapshot | bool | |
| PolicyDefinitionId | string | |
| Properties | dynamic | |
| ProviderName | string | |
| RecommendationAdditionalData | dynamic | |
| RecommendationDisplayName | string | |
| RecommendationId | string | |
| RecommendationName | string | |
| RecommendationSeverity | string | |
| RecommendationState | string | |
| ResolvedTimeUTC | datetime | |
| ResourceRegion | string | |
| StatusChangeDate | datetime | |
| TimeGenerated | datetime | |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution AzureSecurityBenchmark: RecommendationState in "Healthy,Unhealthy"
| Analytic Rule |
|---|
| Azure Security Benchmark Posture Changed |
In solution ContinuousDiagnostics&Mitigation: RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy"
| Analytic Rule |
|---|
| CDM_ContinuousDiagnostics&Mitigation_PostureChanged |
In solution MaturityModelForEventLogManagementM2131:
| Analytic Rule | Selection Criteria |
|---|---|
| M2131_EventLogManagementPostureChanged_EL0 | RecommendationState in "Healthy,Unhealthy" |
| M2131_EventLogManagementPostureChanged_EL1 | RecommendationState in "Healthy,Unhealthy" |
| M2131_EventLogManagementPostureChanged_EL2 | RecommendationState in "Healthy,Unhealthy" |
| M2131_EventLogManagementPostureChanged_EL3 | RecommendationState in "Healthy,Unhealthy" |
| M2131_LogRetentionLessThan1Year | RecommendationDisplayName == "Activity log should be retained for at least one year"RecommendationState in "Healthy,Unhealthy" |
In solution NISTSP80053: RecommendationState in "Healthy,Unhealthy"
| Analytic Rule |
|---|
| NIST SP 800-53 Posture Changed |
In solution ZeroTrust(TIC3.0): RecommendationState in "Healthy,Unhealthy"
| Analytic Rule |
|---|
| ZeroTrust(TIC3.0) Control Assessment Posture Change |
In solution ContinuousDiagnostics&Mitigation: RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy"
| Hunting Query |
|---|
| CDM_ContinuousDiagnostics&Mitigation_Posture |
In solution ContinuousDiagnostics&Mitigation: RecommendationDisplayName contains "access"RecommendationDisplayName contains "account"RecommendationDisplayName contains "admin"RecommendationDisplayName contains "agent"RecommendationDisplayName contains "aks"RecommendationDisplayName contains "audit"RecommendationDisplayName contains "auth"RecommendationDisplayName contains "back"RecommendationDisplayName contains "bound"RecommendationDisplayName contains "cert"RecommendationDisplayName contains "cmk"RecommendationDisplayName contains "collect"RecommendationDisplayName contains "contain"RecommendationDisplayName contains "data"RecommendationDisplayName contains "detect"RecommendationDisplayName contains "edr"RecommendationDisplayName contains "endpoint"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "event"RecommendationDisplayName contains "firewall"RecommendationDisplayName contains "gateway"RecommendationDisplayName contains "http"RecommendationDisplayName contains "identity"RecommendationDisplayName contains "incident"RecommendationDisplayName contains "internet"RecommendationDisplayName contains "intrusion"RecommendationDisplayName contains "just"RecommendationDisplayName contains "key"RecommendationDisplayName contains "kube"RecommendationDisplayName contains "malware"RecommendationDisplayName contains "network"RecommendationDisplayName contains "port"RecommendationDisplayName contains "priv"RecommendationDisplayName contains "privacy"RecommendationDisplayName contains "protection"RecommendationDisplayName contains "proxy"RecommendationDisplayName contains "root"RecommendationDisplayName contains "sql"RecommendationDisplayName contains "storage"RecommendationDisplayName contains "subnet"RecommendationDisplayName contains "supply"RecommendationDisplayName contains "tls"RecommendationDisplayName contains "token"RecommendationDisplayName contains "traffic"RecommendationDisplayName contains "trust"RecommendationDisplayName contains "url"RecommendationDisplayName contains "user"RecommendationDisplayName contains "web"RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy"
| Workbook |
|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: RecommendationState in "Healthy,Unhealthy"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution MaturityModelForEventLogManagementM2131: RecommendationDisplayName contains "AWS"RecommendationDisplayName contains "Amazon"RecommendationDisplayName contains "certificate"RecommendationDisplayName contains "container"RecommendationDisplayName contains "database"RecommendationDisplayName contains "encrypt"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "exploit"RecommendationDisplayName contains "key"RecommendationDisplayName contains "kube"RecommendationDisplayName contains "pod"RecommendationDisplayName contains "sql"RecommendationDisplayName contains "vault"RecommendationDisplayName contains "virus"RecommendationDisplayName contains "vuln"RecommendationDisplayName has "GCP"RecommendationDisplayName has "Google"RecommendationName contains "container"RecommendationName contains "kube"RecommendationName contains "kubernetes"RecommendationName contains "pod"RecommendationName contains "update"RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution NISTSP80053: RecommendationDisplayName contains "TPM"RecommendationState in "Healthy,Unhealthy"
| Workbook |
|---|
| NISTSP80053 |
In solution ZeroTrust(TIC3.0): RecommendationDisplayName contains "JIT"RecommendationDisplayName contains "Just"RecommendationDisplayName contains "VPC"RecommendationDisplayName contains "Web Application Firewall"RecommendationDisplayName contains "account"RecommendationDisplayName contains "adaptive"RecommendationDisplayName contains "admin"RecommendationDisplayName contains "application gateway"RecommendationDisplayName contains "audit"RecommendationDisplayName contains "authentication"RecommendationDisplayName contains "authorized"RecommendationDisplayName contains "automation"RecommendationDisplayName contains "back"RecommendationDisplayName contains "balance"RecommendationDisplayName contains "cert"RecommendationDisplayName contains "certificate"RecommendationDisplayName contains "config"RecommendationDisplayName contains "deception"RecommendationDisplayName contains "defender"RecommendationDisplayName contains "denial"RecommendationDisplayName contains "disaster"RecommendationDisplayName contains "dns"RecommendationDisplayName contains "encrypt"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "express"RecommendationDisplayName contains "firewall"RecommendationDisplayName contains "geo"RecommendationDisplayName contains "guest"RecommendationDisplayName contains "honey"RecommendationDisplayName contains "identity"RecommendationDisplayName contains "java"RecommendationDisplayName contains "load"RecommendationDisplayName contains "log"RecommendationDisplayName contains "logic"RecommendationDisplayName contains "malware"RecommendationDisplayName contains "network access"RecommendationDisplayName contains "network gateway"RecommendationDisplayName contains "network security group"RecommendationDisplayName contains "notification"RecommendationDisplayName contains "password"RecommendationDisplayName contains "patch"RecommendationDisplayName contains "playbook"RecommendationDisplayName contains "private"RecommendationDisplayName contains "privilege"RecommendationDisplayName contains "protected by Azure Firewall"RecommendationDisplayName contains "proxy"RecommendationDisplayName contains "recover"RecommendationDisplayName contains "redundant"RecommendationDisplayName contains "region"RecommendationDisplayName contains "safe"RecommendationDisplayName contains "scale"RecommendationDisplayName contains "security group"RecommendationDisplayName contains "segment"RecommendationDisplayName contains "shared"RecommendationDisplayName contains "subnet"RecommendationDisplayName contains "update"RecommendationDisplayName contains "upgrade"RecommendationDisplayName contains "version"RecommendationDisplayName contains "vpn"RecommendationDisplayName contains "vuln"RecommendationDisplayName contains "watcher"RecommendationDisplayName contains "web apps"RecommendationState in "Healthy,Unhealthy"
| Workbook |
|---|
| ZeroTrustTIC3 |
References by type: 0 connectors, 15 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
RecommendationState in "Healthy,Unhealthy" |
- | 8 | - | - | 8 |
RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy" |
- | 2 | - | - | 2 |
RecommendationDisplayName == "Activity log should be retained for at least one year"RecommendationState in "Healthy,Unhealthy" |
- | 1 | - | - | 1 |
RecommendationDisplayName contains "access"RecommendationDisplayName contains "account"RecommendationDisplayName contains "admin"RecommendationDisplayName contains "agent"RecommendationDisplayName contains "aks"RecommendationDisplayName contains "audit"RecommendationDisplayName contains "auth"RecommendationDisplayName contains "back"RecommendationDisplayName contains "bound"RecommendationDisplayName contains "cert"RecommendationDisplayName contains "cmk"RecommendationDisplayName contains "collect"RecommendationDisplayName contains "contain"RecommendationDisplayName contains "data"RecommendationDisplayName contains "detect"RecommendationDisplayName contains "edr"RecommendationDisplayName contains "endpoint"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "event"RecommendationDisplayName contains "firewall"RecommendationDisplayName contains "gateway"RecommendationDisplayName contains "http"RecommendationDisplayName contains "identity"RecommendationDisplayName contains "incident"RecommendationDisplayName contains "internet"RecommendationDisplayName contains "intrusion"RecommendationDisplayName contains "just"RecommendationDisplayName contains "key"RecommendationDisplayName contains "kube"RecommendationDisplayName contains "malware"RecommendationDisplayName contains "network"RecommendationDisplayName contains "port"RecommendationDisplayName contains "priv"RecommendationDisplayName contains "privacy"RecommendationDisplayName contains "protection"RecommendationDisplayName contains "proxy"RecommendationDisplayName contains "root"RecommendationDisplayName contains "sql"RecommendationDisplayName contains "storage"RecommendationDisplayName contains "subnet"RecommendationDisplayName contains "supply"RecommendationDisplayName contains "tls"RecommendationDisplayName contains "token"RecommendationDisplayName contains "traffic"RecommendationDisplayName contains "trust"RecommendationDisplayName contains "url"RecommendationDisplayName contains "user"RecommendationDisplayName contains "web"RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy" |
- | 1 | - | - | 1 |
RecommendationDisplayName contains "AWS"RecommendationDisplayName contains "Amazon"RecommendationDisplayName contains "certificate"RecommendationDisplayName contains "container"RecommendationDisplayName contains "database"RecommendationDisplayName contains "encrypt"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "exploit"RecommendationDisplayName contains "key"RecommendationDisplayName contains "kube"RecommendationDisplayName contains "pod"RecommendationDisplayName contains "sql"RecommendationDisplayName contains "vault"RecommendationDisplayName contains "virus"RecommendationDisplayName contains "vuln"RecommendationDisplayName has "GCP"RecommendationDisplayName has "Google"RecommendationName contains "container"RecommendationName contains "kube"RecommendationName contains "kubernetes"RecommendationName contains "pod"RecommendationName contains "update"RecommendationState in "Healthy,NotApplicable,Removed,Unhealthy" |
- | 1 | - | - | 1 |
RecommendationDisplayName contains "TPM"RecommendationState in "Healthy,Unhealthy" |
- | 1 | - | - | 1 |
RecommendationDisplayName contains "JIT"RecommendationDisplayName contains "Just"RecommendationDisplayName contains "VPC"RecommendationDisplayName contains "Web Application Firewall"RecommendationDisplayName contains "account"RecommendationDisplayName contains "adaptive"RecommendationDisplayName contains "admin"RecommendationDisplayName contains "application gateway"RecommendationDisplayName contains "audit"RecommendationDisplayName contains "authentication"RecommendationDisplayName contains "authorized"RecommendationDisplayName contains "automation"RecommendationDisplayName contains "back"RecommendationDisplayName contains "balance"RecommendationDisplayName contains "cert"RecommendationDisplayName contains "certificate"RecommendationDisplayName contains "config"RecommendationDisplayName contains "deception"RecommendationDisplayName contains "defender"RecommendationDisplayName contains "denial"RecommendationDisplayName contains "disaster"RecommendationDisplayName contains "dns"RecommendationDisplayName contains "encrypt"RecommendationDisplayName contains "endpoint protection"RecommendationDisplayName contains "express"RecommendationDisplayName contains "firewall"RecommendationDisplayName contains "geo"RecommendationDisplayName contains "guest"RecommendationDisplayName contains "honey"RecommendationDisplayName contains "identity"RecommendationDisplayName contains "java"RecommendationDisplayName contains "load"RecommendationDisplayName contains "log"RecommendationDisplayName contains "logic"RecommendationDisplayName contains "malware"RecommendationDisplayName contains "network access"RecommendationDisplayName contains "network gateway"RecommendationDisplayName contains "network security group"RecommendationDisplayName contains "notification"RecommendationDisplayName contains "password"RecommendationDisplayName contains "patch"RecommendationDisplayName contains "playbook"RecommendationDisplayName contains "private"RecommendationDisplayName contains "privilege"RecommendationDisplayName contains "protected by Azure Firewall"RecommendationDisplayName contains "proxy"RecommendationDisplayName contains "recover"RecommendationDisplayName contains "redundant"RecommendationDisplayName contains "region"RecommendationDisplayName contains "safe"RecommendationDisplayName contains "scale"RecommendationDisplayName contains "security group"RecommendationDisplayName contains "segment"RecommendationDisplayName contains "shared"RecommendationDisplayName contains "subnet"RecommendationDisplayName contains "update"RecommendationDisplayName contains "upgrade"RecommendationDisplayName contains "version"RecommendationDisplayName contains "vpn"RecommendationDisplayName contains "vuln"RecommendationDisplayName contains "watcher"RecommendationDisplayName contains "web apps"RecommendationState in "Healthy,Unhealthy" |
- | 1 | - | - | 1 |
| Total | 0 | 15 | 0 | 0 | 15 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains endpoint protection |
- | 3 | - | - | 3 |
contains account |
- | 2 | - | - | 2 |
contains admin |
- | 2 | - | - | 2 |
contains audit |
- | 2 | - | - | 2 |
contains back |
- | 2 | - | - | 2 |
contains cert |
- | 2 | - | - | 2 |
contains firewall |
- | 2 | - | - | 2 |
contains identity |
- | 2 | - | - | 2 |
contains key |
- | 2 | - | - | 2 |
contains kube |
- | 2 | - | - | 2 |
contains malware |
- | 2 | - | - | 2 |
contains proxy |
- | 2 | - | - | 2 |
contains sql |
- | 2 | - | - | 2 |
contains subnet |
- | 2 | - | - | 2 |
contains certificate |
- | 2 | - | - | 2 |
contains encrypt |
- | 2 | - | - | 2 |
contains vuln |
- | 2 | - | - | 2 |
Activity log should be retained for at least one year |
- | 1 | - | - | 1 |
contains access |
- | 1 | - | - | 1 |
contains agent |
- | 1 | - | - | 1 |
contains aks |
- | 1 | - | - | 1 |
contains auth |
- | 1 | - | - | 1 |
contains bound |
- | 1 | - | - | 1 |
contains cmk |
- | 1 | - | - | 1 |
contains collect |
- | 1 | - | - | 1 |
contains contain |
- | 1 | - | - | 1 |
contains data |
- | 1 | - | - | 1 |
contains detect |
- | 1 | - | - | 1 |
contains edr |
- | 1 | - | - | 1 |
contains endpoint |
- | 1 | - | - | 1 |
contains event |
- | 1 | - | - | 1 |
contains gateway |
- | 1 | - | - | 1 |
contains http |
- | 1 | - | - | 1 |
contains incident |
- | 1 | - | - | 1 |
contains internet |
- | 1 | - | - | 1 |
contains intrusion |
- | 1 | - | - | 1 |
contains just |
- | 1 | - | - | 1 |
contains network |
- | 1 | - | - | 1 |
contains port |
- | 1 | - | - | 1 |
contains priv |
- | 1 | - | - | 1 |
contains privacy |
- | 1 | - | - | 1 |
contains protection |
- | 1 | - | - | 1 |
contains root |
- | 1 | - | - | 1 |
contains storage |
- | 1 | - | - | 1 |
contains supply |
- | 1 | - | - | 1 |
contains tls |
- | 1 | - | - | 1 |
contains token |
- | 1 | - | - | 1 |
contains traffic |
- | 1 | - | - | 1 |
contains trust |
- | 1 | - | - | 1 |
contains url |
- | 1 | - | - | 1 |
contains user |
- | 1 | - | - | 1 |
contains web |
- | 1 | - | - | 1 |
contains AWS |
- | 1 | - | - | 1 |
contains Amazon |
- | 1 | - | - | 1 |
contains container |
- | 1 | - | - | 1 |
contains database |
- | 1 | - | - | 1 |
contains exploit |
- | 1 | - | - | 1 |
contains pod |
- | 1 | - | - | 1 |
contains vault |
- | 1 | - | - | 1 |
contains virus |
- | 1 | - | - | 1 |
has GCP |
- | 1 | - | - | 1 |
has Google |
- | 1 | - | - | 1 |
contains TPM |
- | 1 | - | - | 1 |
contains JIT |
- | 1 | - | - | 1 |
contains Just |
- | 1 | - | - | 1 |
contains VPC |
- | 1 | - | - | 1 |
contains Web Application Firewall |
- | 1 | - | - | 1 |
contains adaptive |
- | 1 | - | - | 1 |
contains application gateway |
- | 1 | - | - | 1 |
contains authentication |
- | 1 | - | - | 1 |
contains authorized |
- | 1 | - | - | 1 |
contains automation |
- | 1 | - | - | 1 |
contains balance |
- | 1 | - | - | 1 |
contains config |
- | 1 | - | - | 1 |
contains deception |
- | 1 | - | - | 1 |
contains defender |
- | 1 | - | - | 1 |
contains denial |
- | 1 | - | - | 1 |
contains disaster |
- | 1 | - | - | 1 |
contains dns |
- | 1 | - | - | 1 |
contains express |
- | 1 | - | - | 1 |
contains geo |
- | 1 | - | - | 1 |
contains guest |
- | 1 | - | - | 1 |
contains honey |
- | 1 | - | - | 1 |
contains java |
- | 1 | - | - | 1 |
contains load |
- | 1 | - | - | 1 |
contains log |
- | 1 | - | - | 1 |
contains logic |
- | 1 | - | - | 1 |
contains network access |
- | 1 | - | - | 1 |
contains network gateway |
- | 1 | - | - | 1 |
contains network security group |
- | 1 | - | - | 1 |
contains notification |
- | 1 | - | - | 1 |
contains password |
- | 1 | - | - | 1 |
contains patch |
- | 1 | - | - | 1 |
contains playbook |
- | 1 | - | - | 1 |
contains private |
- | 1 | - | - | 1 |
contains privilege |
- | 1 | - | - | 1 |
contains protected by Azure Firewall |
- | 1 | - | - | 1 |
contains recover |
- | 1 | - | - | 1 |
contains redundant |
- | 1 | - | - | 1 |
contains region |
- | 1 | - | - | 1 |
contains safe |
- | 1 | - | - | 1 |
contains scale |
- | 1 | - | - | 1 |
contains security group |
- | 1 | - | - | 1 |
contains segment |
- | 1 | - | - | 1 |
contains shared |
- | 1 | - | - | 1 |
contains update |
- | 1 | - | - | 1 |
contains upgrade |
- | 1 | - | - | 1 |
contains version |
- | 1 | - | - | 1 |
contains vpn |
- | 1 | - | - | 1 |
contains watcher |
- | 1 | - | - | 1 |
contains web apps |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
contains container |
- | 1 | - | - | 1 |
contains kube |
- | 1 | - | - | 1 |
contains kubernetes |
- | 1 | - | - | 1 |
contains pod |
- | 1 | - | - | 1 |
contains update |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Healthy |
- | 15 | - | - | 15 |
Unhealthy |
- | 15 | - | - | 15 |
NotApplicable |
- | 4 | - | - | 4 |
Removed |
- | 4 | - | - | 4 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊