How to exclude PREVIEW recommendation exported to Log Analytics by continuous export ? about microsoft-defender-for-cloud HOT 7 CLOSED

As I mentioned above, in this case please open a new or upvote an existing feature request in the Azure Security Center Uservoice. But also remember that preview recommendations should be considered before they will negatively affect Secure Score calculations which is why they're part of Continuous Export.

from microsoft-defender-for-cloud.

It would be possible if word "Preview" was a part of recommendation name, however currently PREVIEW recommendation can be filtered ONLY via GUI from Portal (see pic below)

SecurityRecommendation
| where RecommendationState == "Unhealthy" and TimeGenerated > startofmonth(now()) 
| where RecommendationName  !contains "Preview"

from microsoft-defender-for-cloud.

Hi @andriikut ,
today, the preview information is not exported to LA, however, you can use the Microsoft.Security/AssessmentsMetadata API provider to retrieve the information, as there is a preview-field:

{
      "id": "/providers/Microsoft.Security/assessmentMetadata/af560c4d-9c05-e073-b9f1-f7a94958ff25",
      "name": "af560c4d-9c05-e073-b9f1-f7a94958ff25",
      "type": "Microsoft.Security/assessmentMetadata",
      "properties": {
        "displayName": "Container registries should be encrypted with a customer-managed key (CMK)",
        "assessmentType": "BuiltIn",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
        "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.",
        "remediationDescription": "Azure automatically encrypts registry Contents. To encrypt a registry using a customer-managed key (CMK): 1. Create a user-assigned managed identity. 2. Create a Key Vault with soft delete and purge protection enabled. 3. Give the Managed Identity (Get, Unwrap and Wrap) Key Permissions to the key vault by adding a key vault Access Policy. 4. Create a key for encryption. 5. Create the registry: enable customer-managed key, add the managed identity, and provid the created key's version. For more information, see: https://aka.ms/acr/cmk",
        "categories": [
          "Data"
        ],
        "preview": true,
        "severity": "Medium"
      }
    },

If you need that information in Log Analytics, you could use a Logic App that helps you write data from the API to your Log Analytics workspace. The Get-SecureScoreData Logic App is an example to help you export data from a REST API to Log Analytics. If you want to see that feature in Continuous Export, too, please make sure to post a feature request in the Azure Security Center Uservoice.

from microsoft-defender-for-cloud.

Thanks @TomJanetscheck , I will check your findings
According to article : "Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score"
However they are being exporting to LA and that cause this issue. I DO NOT want Preview information and want to exclude it

from microsoft-defender-for-cloud.

When configuring continuous export, you can select which recommendations you want to be exported. You can uncheck the preview recommendations so only the others are exported to Log Analytics. Also, preview recommendations are shown in ASC to enable customers to care about remediation before they will negatively affect Secure Score. Once these recommendations are GA, they will count towards their particular security controls and will then make your Secure Score decrease in case you have not taken care of remediation. So, the preview flag does not necessarily mean that these recommendations are unstable, but it's more a grace period before they will finally count towards Secure Score calculation.

from microsoft-defender-for-cloud.

I got you point. It will work, but in this case we will need to manage this list manually each time when new recommendations become GA. I'm trying to avoid manual work while using continuous export
So it would be reasonable to add option to exclude Preview from exporting or sort them out in LA

from microsoft-defender-for-cloud.

Closing this issue since it is not related to an automation artifact.

from microsoft-defender-for-cloud.