How to Find How Long an Azure Security Center Recommendation Has Been Open

Azure Security Center provides awesome capability to deliver recommendations on how to better secure the existing environment and also how to deploy new workloads securely. This evaluation is continuous and it should be part of a daily or weekly regimen to review the recommendation list and take action where necessary.

But, what if you want to prioritize what gets addressed by the amount of time the recommendation has been open? Or, what if – as a manager – you want to identify your team’s workload and open items to determine when you need to hire help?

The best way to accomplish these is to know how long the recommendation has been open and if an attempt has been made to address it.

This information is contained in the actual recommendation query in the firstEvaluationDate and statusChangeDate in the securityresources table, which is available to query through Graph Explorer.

Status location

To get there in the UI from the Security Center console…

[1] Locate the Recommendation of interest, click to open it and click the Open Query option.

Open Query

[2] Once Azure Resource Graph Explorer opens, tap or click the Run Query option. Then, in the results window, tap or click the See Details link on one of the returned rows.

See the details of entity

[3] Finally, sift through the details pane for the Properties values. In here, you’ll find the time and date the first assessment for the object was made and if anyone has ever attempted to address the recommendation for that specific object.

Open Evaluation


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]