Detection 'Unhealthy' State of Security Recommendations from Microsoft Defender for Cloud on Analytics Rule in Microsoft Sentinel
This Repository provides detection rule when Recommendation of Microsoft Defender for Cloud state was changed to "Unhealthy".
Configuration image as follows.
You can import template json from Microsoft Sentinel. Caution:
- Requires "Recommendation" table in the target LogAnalytics workspace.
- Previously you need to configure "Continuous Export" on Microsoft Defender for Cloud to the Sentinel Log Analytics Workspace.
Current version, here is a Kusto Query in this package.
let queryfrequency = 1h;
//Watchlist as a variable
let ASC_Rec_watchlist = (_GetWatchlist('ASC_Reco')
| project ASC_Reco);
SecurityRecommendation
| where TimeGenerated > ago(queryfrequency)
| where RecommendationState == "Unhealthy"
| where IsSnapshot == "false" // For Continuous Export without Snapshot
| where Environment == "Azure" //For Azure
| where RecommendationName in (ASC_Rec_watchlist)
| extend
FirstEvaluationDate = tostring(Properties.status.firstEvaluationDate),
StatusChangeDate = tostring(Properties.status.statusChangeDate)
| extend
SubscriptionId = split(AssessedResourceId, "/", 2)[0],
ResouceGroup = split(AssessedResourceId, "/", 4)[0]
| extend tostring(SubscriptionId)
| lookup kind=leftouter (
arg("").resourcecontainers
| where type == "microsoft.resources/subscriptions"
)
on $left.SubscriptionId == $right.subscriptionId
| project
TimeGenerated,
RecommendationName,
RecommendationState,
RecommendationSeverity,
FirstEvaluationDate,
StatusChangeDate,
AssessedResourceId,
SubscriptionId,
name,
ResouceGroup,
Description,
RemediationDescription- For AWS Recommentations
let dt_lookBack = ago(1d);
let history_lookBack = ago(7d);
SecurityRecommendation
| where TimeGenerated >= dt_lookBack
| where RecommendationState == "Unhealthy"
| where IsSnapshot == "false" // For Continuous Export without Snapshot
| where Environment == "AWS" //For AWS
//
// Except last 7 Days Unhealthy AWS Resources by join leftanti
| join kind=leftanti (
SecurityRecommendation
| where TimeGenerated between(history_lookBack .. dt_lookBack)
| where RecommendationState == "Unhealthy"
| where IsSnapshot == "false"
| where Environment == "AWS"
| summarize count() by RecommendationName,AssessedResourceId
)
on RecommendationName,AssessedResourceId
//
// Extend AWS Resource Information
| extend
FirstEvaluationDate = tostring(Properties.status.firstEvaluationDate),
StatusChangeDate = tostring(Properties.status.statusChangeDate),
aws_arn = tostring(RecommendationAdditionalData.nativeCloudUniqueIdentifier),
aws_account = tostring(RecommendationAdditionalData.hierarchyId),
aws_region = tostring(RecommendationAdditionalData.region)
| project TimeGenerated,RecommendationName,RecommendationSeverity,FirstEvaluationDate,StatusChangeDate, Description
, RemediationDescription,aws_account, aws_region,aws_arnIf you want to monitor multi-cloud environment, comment out '| where Environment == "Azure"'.
I suppose many customers would like to filter specific recommendations that was triggered to "Unhealthy" Status, because normaly ASC (Microsoft Defender for Cloud) generates many recommendation events. If you want to filter and detect alert for specific Recommendations, you can use Watchlist feature for filtering recommendations.
Here is customized package for template json file. You can easily upload and import customized analytics rule on Microsoft Sentinel.
After importing template json, you need to create two watchlists.
- "ASC_Reco" watchlist for filtering recommendations.
Here is a sample CSV for Watchlist.
ASC_Reco
TLS should be updated to the latest version for API apps
TLS should be updated to the latest version for function apps
TLS should be updated to the latest version for web apps
Microsoft Defender for servers should be enabled
Microsoft Defender for Containers should be enabled
Microsoft Defender for Azure SQL Database servers should be enabled
Microsoft Defender for DNS should be enabled
Microsoft Defender for open-source relational databases should be enabled
Microsoft Defender for Resource Manager should be enabled
Microsoft Defender for SQL on machines should be enabled on workspaces
Microsoft Defender for SQL servers on machines should be enabled
Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances
Microsoft Defender for Storage should be enabled
Microsoft Defender for Key Vault should be enabled
Here is a current parameter on this package.
| Parameter | Value | Description |
|---|---|---|
| queryfrequency | 1h | |
| RecommendationName | Recommendation Name from Microsoft Defender for Cloud | |
| RecommendationSeverity | High/Middle/Low | Recommendation Severity |
| FirstEvaluationDate | First Evaluation Date by Azure Policy | |
| StatusChangeDate | Status Change Date by Azure Policy |