This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 99%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
I am trying to make custom recommendations work. I created a custom recommendation that looks meta data of a keyvault and checks if PublicNetworkAccess is enabled if so then it finds "iprules" in meta data. If it can see the word "value" in array iprules it means that our keyvault has IP restrictions which is safe to use.
I didn't have any issues while creating it but the issue is that I can't see this recommendation being triggered even after 12 + hours. I know I'm alerting on something that is safe but just trying to test the tool before I use the actual use cases. I think custom recommendation follows a specific format or something? Please help if you know anything :)
Here's the kql -
RawEntityMetadata
| where Environment == 'Azure' and Identifiers.Type =~ 'Microsoft.KeyVault/vaults'
| parse Record with * 'publicNetworkAccess":"' publicNetworkAccess:string '"' *
| where publicNetworkAccess contains "Enabled"
| parse Record with * "ipRules" ipRules:string ',' *
//| where ipRules contains "value"
| extend ABC = ipRules
| project Name, Environment, Record, publicNetworkAccess, HealthStatus = "HEALTHY", ipRules, Identifiers, Id, AdditionalData
I was able to build the custom recommendation in my lab and it targeted 3 Key Vault correctly.
My recommendation here is to wait for 24 hours as any changes within defender for cloud could take up to 24 hours for execution.
If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Akshay, thanks for responding. I have been waiting for several days now. It still hasn't shown up. Do you mind sharing kql you wrote for the recommendation you created?
@Akshay-MSFT Were you able to check my reply from yesterday?
--> Akshay, thanks for responding. I have been waiting for several days now. It still hasn't shown up. Do you mind sharing kql you wrote for the recommendation you created?
Apologies for delayed response, I was testing and discussing this internally and found the following:
Thanks,
Akshay Kaushik
Thank you so much @Akshay-MSFT ! Can't we mark this as a product gap since custom recommendation created via KQL doesn't work?
I'll post some updates on this thread once I recreate this in my Lab.
Hey @Akshay-MSFT , wanted to follow up with you on the above.
I have also seen custom recommendations via policy (legacy) doesn't impact secure score. Is that statement correct? Also, how soon can we get some eyes on custom recommendations via KQL? Thank you so much!!
I waited for a week and my custom recommendation created via KQL and policy did show up, seems like the security standard took one week. I will check on the time it takes and get back, but based on testing could confirm this does work.
If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Hey @Akshay-MSFT Apparently it's been multiple weeks for me and still I don't see KQL recommendations showing up. Also, I opened up a ticket with Microsoft and they confirmed that this functionality doesn't work. Looks like there is some conflicting information. Do you mind digging in this further or maybe connect with me over a call and see if you can spot anything unusual in my environment? Let me know, please!
Also, this is very strange. Microsoft support told me explicitly that custom recommendations won't show up under recommendations tab. They will only be shown under regulatory compliance. I think it would be best to setup a call to discuss this further. Can you please let me know your availability? Thanks!