| JSON |
{
"properties": {
"displayName": "[Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Configure Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.",
"metadata": {
"category": "Security Center",
"version": "1.0.0-preview",
"preview": true
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "location",
"in": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"centralindia",
"centralus",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"germanywestcentral",
"japaneast",
"northcentralus",
"northeurope",
"southcentralus",
"southeastasia",
"uksouth",
"westcentralus",
"westeurope",
"westus",
"westus2"
]
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "WindowsServer"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"2008-R2-SP1",
"2008-R2-SP1-smalldisk",
"2012-Datacenter",
"2012-Datacenter-smalldisk",
"2012-R2-Datacenter",
"2012-R2-Datacenter-smalldisk",
"2016-Datacenter",
"2016-Datacenter-Server-Core",
"2016-Datacenter-Server-Core-smalldisk",
"2016-Datacenter-smalldisk",
"2016-Datacenter-with-Containers",
"2016-Datacenter-with-RDSH",
"2019-Datacenter",
"2019-Datacenter-Core",
"2019-Datacenter-Core-smalldisk",
"2019-Datacenter-Core-with-Containers",
"2019-Datacenter-Core-with-Containers-smalldisk",
"2019-Datacenter-smalldisk",
"2019-Datacenter-with-Containers",
"2019-Datacenter-with-Containers-smalldisk",
"2019-Datacenter-zhcn"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "WindowsServerSemiAnnual"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"Datacenter-Core-1709-smalldisk",
"Datacenter-Core-1709-with-Containers-smalldisk",
"Datacenter-Core-1803-with-Containers-smalldisk"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServerHPCPack"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "WindowsServerHPCPack"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "*-WS2016"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "*-WS2016-BYOL"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "*-WS2012R2"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "*-WS2012R2-BYOL"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftRServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "MLServer-WS2016"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftVisualStudio"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"VisualStudio",
"Windows"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftDynamicsAX"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Dynamics"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "Pre-Req-AX7-Onebox-U8"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-ads"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "windows-data-science-vm"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsDesktop"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Windows-10"
}
]
}
]
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"deploymentScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureSecurityWindowsAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/Publisher",
"equals": "Microsoft.Azure.Security.Monitoring"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"in": [
"Succeeded",
"Provisioning succeeded"
]
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"parameters": {
"resourceGroup": {
"value": "[resourceGroup().name]"
},
"location": {
"value": "[field('location')]"
},
"vmName": {
"value": "[field('name')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceGroup": {
"type": "string"
},
"location": {
"type": "string"
},
"vmName": {
"type": "string"
}
},
"variables": {
"pairedLocations": {
"australiacentral": "australiacentral",
"australiaeast": "australiaeast",
"australiasoutheast": "australiasoutheast",
"centralindia": "centralindia",
"centralus": "centralus",
"eastasia": "eastasia",
"eastus2euap": "eastus2euap",
"eastus": "eastus",
"eastus2": "eastus2",
"germanywestcentral": "germanywestcentral",
"japaneast": "japaneast",
"northcentralus": "northcentralus",
"northeurope": "northeurope",
"southcentralus": "southcentralus",
"southeastasia": "southeastasia",
"uksouth": "uksouth",
"westcentralus": "westcentralus",
"westeurope": "westeurope",
"westus": "westus",
"westus2": "westus2"
},
"locationLongNameToShortMap": {
"australiacentral": "CAU",
"australiaeast": "EAU",
"australiasoutheast": "SEAU",
"centralindia": "CIN",
"centralus": "CUS",
"eastasia": "EA",
"eastus2euap": "eus2p",
"eastus": "EUS",
"eastus2": "EUS2",
"germanywestcentral": "DEWC",
"japaneast": "EJP",
"northcentralus": "NCUS",
"northeurope": "NEU",
"southcentralus": "SCUS",
"southeastasia": "SEA",
"uksouth": "SUK",
"westcentralus": "WCUS",
"westeurope": "WEU",
"westus": "WUS",
"westus2": "WUS2"
},
"locationCode": "[variables('locationLongNameToShortMap')[variables('pairedLocations')[parameters('location')]]]",
"subscriptionId": "[subscription().subscriptionId]",
"defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
"defaultRGLocation": "[variables('pairedLocations')[parameters('location')]]",
"workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
"dcrName": "[concat('Microsoft-Security-', variables('locationCode'), '-dcr')]",
"dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
"dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
"deployAzureSecurityWindowsAgent": "[concat('deployAzureSecurityWindowsAgent-', uniqueString(deployment().name))]",
"deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
"deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployAzureSecurityWindowsAgent')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('resourceGroup')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"vmName": {
"value": "[parameters('vmName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'), '/', 'AzureSecurityWindowsAgent')]",
"apiVersion": "2019-03-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.Security.Monitoring",
"type": "AzureSecurityWindowsAgent",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": "true",
"settings": {
},
"protectedsettings": {
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/resourceGroups",
"name": "[variables('defaultRGName')]",
"apiVersion": "2019-05-01",
"location": "[variables('defaultRGLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDefaultAscResourceGroup')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[variables('defaultRGName')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"defaultRGLocation": {
"value": "[variables('defaultRGLocation')]"
},
"workspaceName": {
"value": "[variables('workspaceName')]"
},
"dcrName": {
"value": "[variables('dcrName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultRGLocation": {
"type": "string"
},
"workspaceName": {
"type": "string"
},
"dcrName": {
"type": "string"
}
},
"variables": {
"securitySolution": {
"Name": "[Concat('Security', '(', parameters('workspaceName'), ')')]",
"GalleryName": "Security"
},
"securityCenterFreeSolution": {
"Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SecurityCenterFree"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"properties": {
"sku": {
"name": "pernode"
},
"retentionInDays": 30,
"features": {
"searchVersion": 1
}
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securitySolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securitySolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securitySolution').GalleryName)]",
"promotionCode": ""
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securityCenterFreeSolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securityCenterFreeSolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
"promotionCode": ""
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"name": "[parameters('dcrName')]",
"apiVersion": "2019-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"description": "Data collection rule for Azure Security Center. Deleting this rule will break the detection of security vulnerabilities.",
"dataSources": {
"windowsEventLogs": [
{
"name": "RomeDetectionEventDataSource",
"streams": [
"Microsoft-RomeDetectionEvent"
],
"scheduledTransferPeriod": "PT5M",
"xPathQueries": [
"Security!*",
"Microsoft-Windows-AppLocker/EXE and DLL!*"
]
}
],
"syslog": [
{
"name": "SyslogDataSource",
"streams": [
"Microsoft-Syslog"
],
"facilityNames": [
"kern",
"auth",
"authpriv",
"cron",
"user",
"daemon",
"syslog",
"local0"
],
"logLevels": [
"Debug",
"Critical",
"Emergency"
]
}
],
"extensions": [
{
"extensionName": "AzureSecurityLinuxAgent",
"name": "AscLinuxDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-SecurityBaseline",
"Microsoft-SecurityBaselineSummary",
"Microsoft-ProcessInvestigator",
"Microsoft-Auditd",
"Microsoft-ProtectionStatus",
"Microsoft-Heartbeat"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "time",
"frequency": "PT8H"
},
{
"name": "antimalware",
"frequency": "PT8H"
},
{
"name": "codeintegrity",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D",
"options": [
{
"name": "Baseline",
"value": "Azure.Ubuntu"
},
{
"name": "AscBaseline",
"value": "OMS.Linux"
}
]
},
{
"name": "docker",
"frequency": "P1D",
"options": [
{
"name": "Baseline",
"value": "Azure.Docker.Linux"
},
{
"name": "AscBaseline",
"value": "OMS.Docker.Linux"
}
]
}
]
}
},
{
"extensionName": "AzureSecurityWindowsAgent",
"name": "AsaWindowsDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-SecurityBaseline",
"Microsoft-ProcessInvestigator",
"Microsoft-ProtectionStatus",
"Microsoft-SecurityBaselineSummary"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D"
},
{
"name": "antimalware",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
}
]
}
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
"name": "LogAnalyticsDest"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-Syslog",
"Microsoft-OperationLog",
"Microsoft-SecurityBaseline",
"Microsoft-SecurityBaselineSummary",
"Microsoft-RomeDetectionEvent",
"Microsoft-ProcessInvestigator",
"Microsoft-Auditd",
"Microsoft-ProtectionStatus",
"Microsoft-Heartbeat"
],
"destinations": [
"LogAnalyticsDest"
]
}
]
}
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDataCollectionRulesAssociation')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('resourceGroup')]",
"dependsOn": [
"[variables('deployDefaultAscResourceGroup')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"dcrId": {
"value": "[variables('dcrId')]"
},
"dcraName": {
"value": "[variables('dcraName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
},
"dcrId": {
"type": "string"
},
"dcraName": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
"name": "[parameters('dcraName')]",
"apiVersion": "2019-11-01-preview",
"properties": {
"description": "Association of data collection rule for Azure Security Center. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
"dataCollectionRuleId": "[parameters('dcrId')]"
}
}
]
}
}
}
]
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/1537496a-b1e8-482b-a06a-1cc2415cdc7b",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "1537496a-b1e8-482b-a06a-1cc2415cdc7b"
}
|