last sync: 2021-May-05 13:56:08 UTC

Azure Policy definition

[Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent

Name [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent
Azure Portal
Id 1537496a-b1e8-482b-a06a-1cc2415cdc7b
Version 1.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Configure Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Fixed: deployIfNotExists
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Log Analytics Contributor 92aaf0da-9dab-42b6-94a3-d43ce8d16293
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-01-22 09:14:53 add 1537496a-b1e8-482b-a06a-1cc2415cdc7b
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Deploy - Configure prerequisites to enable Azure Monitor and Azure Security agents on virtual machines a15f3269-2e10-458c-87a4-d5989e678a73 Monitoring Preview
JSON
{
  "properties": {
  "displayName": "[Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configure Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.",
    "metadata": {
      "category": "Security Center",
      "version": "1.0.0-preview",
      "preview": true
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "location",
            "in": [
              "australiacentral",
              "australiaeast",
              "australiasoutheast",
              "centralindia",
              "centralus",
              "eastasia",
              "eastus2euap",
              "eastus",
              "eastus2",
              "germanywestcentral",
              "japaneast",
              "northcentralus",
              "northeurope",
              "southcentralus",
              "southeastasia",
              "uksouth",
              "westcentralus",
              "westeurope",
              "westus",
              "westus2"
            ]
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "2008-R2-SP1",
                      "2008-R2-SP1-smalldisk",
                      "2012-Datacenter",
                      "2012-Datacenter-smalldisk",
                      "2012-R2-Datacenter",
                      "2012-R2-Datacenter-smalldisk",
                      "2016-Datacenter",
                      "2016-Datacenter-Server-Core",
                      "2016-Datacenter-Server-Core-smalldisk",
                      "2016-Datacenter-smalldisk",
                      "2016-Datacenter-with-Containers",
                      "2016-Datacenter-with-RDSH",
                      "2019-Datacenter",
                      "2019-Datacenter-Core",
                      "2019-Datacenter-Core-smalldisk",
                      "2019-Datacenter-Core-with-Containers",
                      "2019-Datacenter-Core-with-Containers-smalldisk",
                      "2019-Datacenter-smalldisk",
                      "2019-Datacenter-with-Containers",
                      "2019-Datacenter-with-Containers-smalldisk",
                      "2019-Datacenter-zhcn"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerSemiAnnual"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "in": [
                      "Datacenter-Core-1709-smalldisk",
                      "Datacenter-Core-1709-with-Containers-smalldisk",
                      "Datacenter-Core-1803-with-Containers-smalldisk"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServerHPCPack"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "WindowsServerHPCPack"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2016-BYOL"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2"
                      },
                      {
                        "field": "Microsoft.Compute/imageOffer",
                        "like": "*-WS2012R2-BYOL"
                      }
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftRServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "MLServer-WS2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftVisualStudio"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "VisualStudio",
                      "Windows"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftDynamicsAX"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Dynamics"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "equals": "Pre-Req-AX7-Onebox-U8"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "windows-data-science-vm"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsDesktop"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "Windows-10"
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "deploymentScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureSecurityWindowsAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/Publisher",
                "equals": "Microsoft.Azure.Security.Monitoring"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "in": [
                  "Succeeded",
                  "Provisioning succeeded"
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "location": "eastus",
            "properties": {
              "mode": "incremental",
              "parameters": {
                "resourceGroup": {
                "value": "[resourceGroup().name]"
                },
                "location": {
                "value": "[field('location')]"
                },
                "vmName": {
                "value": "[field('name')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "vmName": {
                    "type": "string"
                  }
                },
                "variables": {
                  "pairedLocations": {
                    "australiacentral": "australiacentral",
                    "australiaeast": "australiaeast",
                    "australiasoutheast": "australiasoutheast",
                    "centralindia": "centralindia",
                    "centralus": "centralus",
                    "eastasia": "eastasia",
                    "eastus2euap": "eastus2euap",
                    "eastus": "eastus",
                    "eastus2": "eastus2",
                    "germanywestcentral": "germanywestcentral",
                    "japaneast": "japaneast",
                    "northcentralus": "northcentralus",
                    "northeurope": "northeurope",
                    "southcentralus": "southcentralus",
                    "southeastasia": "southeastasia",
                    "uksouth": "uksouth",
                    "westcentralus": "westcentralus",
                    "westeurope": "westeurope",
                    "westus": "westus",
                    "westus2": "westus2"
                  },
                  "locationLongNameToShortMap": {
                    "australiacentral": "CAU",
                    "australiaeast": "EAU",
                    "australiasoutheast": "SEAU",
                    "centralindia": "CIN",
                    "centralus": "CUS",
                    "eastasia": "EA",
                    "eastus2euap": "eus2p",
                    "eastus": "EUS",
                    "eastus2": "EUS2",
                    "germanywestcentral": "DEWC",
                    "japaneast": "EJP",
                    "northcentralus": "NCUS",
                    "northeurope": "NEU",
                    "southcentralus": "SCUS",
                    "southeastasia": "SEA",
                    "uksouth": "SUK",
                    "westcentralus": "WCUS",
                    "westeurope": "WEU",
                    "westus": "WUS",
                    "westus2": "WUS2"
                  },
                "locationCode": "[variables('locationLongNameToShortMap')[variables('pairedLocations')[parameters('location')]]]",
                "subscriptionId": "[subscription().subscriptionId]",
                "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
                "defaultRGLocation": "[variables('pairedLocations')[parameters('location')]]",
                "workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
                "dcrName": "[concat('Microsoft-Security-', variables('locationCode'), '-dcr')]",
                "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
                "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
                "deployAzureSecurityWindowsAgent": "[concat('deployAzureSecurityWindowsAgent-', uniqueString(deployment().name))]",
                "deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
                "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                  "name": "[variables('deployAzureSecurityWindowsAgent')]",
                    "apiVersion": "2020-06-01",
                  "resourceGroup": "[parameters('resourceGroup')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                        "value": "[parameters('location')]"
                        },
                        "vmName": {
                        "value": "[parameters('vmName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "vmName": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Compute/virtualMachines/extensions",
                          "name": "[concat(parameters('vmName'), '/', 'AzureSecurityWindowsAgent')]",
                            "apiVersion": "2019-03-01",
                          "location": "[parameters('location')]",
                            "properties": {
                              "publisher": "Microsoft.Azure.Security.Monitoring",
                              "type": "AzureSecurityWindowsAgent",
                              "typeHandlerVersion": "1.0",
                              "autoUpgradeMinorVersion": "true",
                              "settings": {
                                
                              },
                              "protectedsettings": {
                                
                              }
                            }
                          }
                        ]
                      }
                    }
                  },
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                  "name": "[variables('defaultRGName')]",
                    "apiVersion": "2019-05-01",
                  "location": "[variables('defaultRGLocation')]"
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                  "name": "[variables('deployDefaultAscResourceGroup')]",
                    "apiVersion": "2020-06-01",
                  "resourceGroup": "[variables('defaultRGName')]",
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "defaultRGLocation": {
                        "value": "[variables('defaultRGLocation')]"
                        },
                        "workspaceName": {
                        "value": "[variables('workspaceName')]"
                        },
                        "dcrName": {
                        "value": "[variables('dcrName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "defaultRGLocation": {
                            "type": "string"
                          },
                          "workspaceName": {
                            "type": "string"
                          },
                          "dcrName": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          "securitySolution": {
                          "Name": "[Concat('Security', '(', parameters('workspaceName'), ')')]",
                            "GalleryName": "Security"
                          },
                          "securityCenterFreeSolution": {
                          "Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
                            "GalleryName": "SecurityCenterFree"
                          }
                        },
                        "resources": [
                          {
                            "type": "Microsoft.OperationalInsights/workspaces",
                          "name": "[parameters('workspaceName')]",
                            "apiVersion": "2015-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                            "properties": {
                              "sku": {
                                "name": "pernode"
                              },
                              "retentionInDays": 30,
                              "features": {
                                "searchVersion": 1
                              }
                            }
                          },
                          {
                            "type": "Microsoft.OperationsManagement/solutions",
                          "name": "[variables('securitySolution').Name]",
                            "apiVersion": "2015-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                            "[parameters('workspaceName')]"
                            ],
                            "properties": {
                            "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                            },
                            "plan": {
                            "name": "[variables('securitySolution').Name]",
                              "publisher": "Microsoft",
                            "product": "[Concat('OMSGallery/', variables('securitySolution').GalleryName)]",
                              "promotionCode": ""
                            }
                          },
                          {
                            "type": "Microsoft.OperationsManagement/solutions",
                          "name": "[variables('securityCenterFreeSolution').Name]",
                            "apiVersion": "2015-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                            "[parameters('workspaceName')]"
                            ],
                            "properties": {
                            "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                            },
                            "plan": {
                            "name": "[variables('securityCenterFreeSolution').Name]",
                              "publisher": "Microsoft",
                            "product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
                              "promotionCode": ""
                            }
                          },
                          {
                            "type": "Microsoft.Insights/dataCollectionRules",
                          "name": "[parameters('dcrName')]",
                            "apiVersion": "2019-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                            "dependsOn": [
                            "[parameters('workspaceName')]"
                            ],
                            "properties": {
                              "description": "Data collection rule for Azure Security Center. Deleting this rule will break the detection of security vulnerabilities.",
                              "dataSources": {
                                "windowsEventLogs": [
                                  {
                                    "name": "RomeDetectionEventDataSource",
                                    "streams": [
                                      "Microsoft-RomeDetectionEvent"
                                    ],
                                    "scheduledTransferPeriod": "PT5M",
                                    "xPathQueries": [
                                      "Security!*",
                                      "Microsoft-Windows-AppLocker/EXE and DLL!*"
                                    ]
                                  }
                                ],
                                "syslog": [
                                  {
                                    "name": "SyslogDataSource",
                                    "streams": [
                                      "Microsoft-Syslog"
                                    ],
                                    "facilityNames": [
                                      "kern",
                                      "auth",
                                      "authpriv",
                                      "cron",
                                      "user",
                                      "daemon",
                                      "syslog",
                                      "local0"
                                    ],
                                    "logLevels": [
                                      "Debug",
                                      "Critical",
                                      "Emergency"
                                    ]
                                  }
                                ],
                                "extensions": [
                                  {
                                    "extensionName": "AzureSecurityLinuxAgent",
                                    "name": "AscLinuxDataSource",
                                    "streams": [
                                      "Microsoft-OperationLog",
                                      "Microsoft-SecurityBaseline",
                                      "Microsoft-SecurityBaselineSummary",
                                      "Microsoft-ProcessInvestigator",
                                      "Microsoft-Auditd",
                                      "Microsoft-ProtectionStatus",
                                      "Microsoft-Heartbeat"
                                    ],
                                    "extensionSettings": {
                                      "scanners": [
                                        {
                                          "name": "heartbeat",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "time",
                                          "frequency": "PT8H"
                                        },
                                        {
                                          "name": "antimalware",
                                          "frequency": "PT8H"
                                        },
                                        {
                                          "name": "codeintegrity",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "processinvestigator",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "baseline",
                                          "frequency": "P1D",
                                          "options": [
                                            {
                                              "name": "Baseline",
                                              "value": "Azure.Ubuntu"
                                            },
                                            {
                                              "name": "AscBaseline",
                                              "value": "OMS.Linux"
                                            }
                                          ]
                                        },
                                        {
                                          "name": "docker",
                                          "frequency": "P1D",
                                          "options": [
                                            {
                                              "name": "Baseline",
                                              "value": "Azure.Docker.Linux"
                                            },
                                            {
                                              "name": "AscBaseline",
                                              "value": "OMS.Docker.Linux"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  },
                                  {
                                    "extensionName": "AzureSecurityWindowsAgent",
                                    "name": "AsaWindowsDataSource",
                                    "streams": [
                                      "Microsoft-OperationLog",
                                      "Microsoft-SecurityBaseline",
                                      "Microsoft-ProcessInvestigator",
                                      "Microsoft-ProtectionStatus",
                                      "Microsoft-SecurityBaselineSummary"
                                    ],
                                    "extensionSettings": {
                                      "scanners": [
                                        {
                                          "name": "heartbeat",
                                          "frequency": "PT1H"
                                        },
                                        {
                                          "name": "baseline",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "antimalware",
                                          "frequency": "P1D"
                                        },
                                        {
                                          "name": "processinvestigator",
                                          "frequency": "PT1H"
                                        }
                                      ]
                                    }
                                  }
                                ]
                              },
                              "destinations": {
                                "logAnalytics": [
                                  {
                                  "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                                    "name": "LogAnalyticsDest"
                                  }
                                ]
                              },
                              "dataFlows": [
                                {
                                  "streams": [
                                    "Microsoft-Syslog",
                                    "Microsoft-OperationLog",
                                    "Microsoft-SecurityBaseline",
                                    "Microsoft-SecurityBaselineSummary",
                                    "Microsoft-RomeDetectionEvent",
                                    "Microsoft-ProcessInvestigator",
                                    "Microsoft-Auditd",
                                    "Microsoft-ProtectionStatus",
                                    "Microsoft-Heartbeat"
                                  ],
                                  "destinations": [
                                    "LogAnalyticsDest"
                                  ]
                                }
                              ]
                            }
                          }
                        ]
                      }
                    },
                    "dependsOn": [
                    "[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
                    ]
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                  "name": "[variables('deployDataCollectionRulesAssociation')]",
                    "apiVersion": "2020-06-01",
                  "resourceGroup": "[parameters('resourceGroup')]",
                    "dependsOn": [
                    "[variables('deployDefaultAscResourceGroup')]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "expressionEvaluationOptions": {
                        "scope": "inner"
                      },
                      "parameters": {
                        "location": {
                        "value": "[parameters('location')]"
                        },
                        "vmName": {
                        "value": "[parameters('vmName')]"
                        },
                        "dcrId": {
                        "value": "[variables('dcrId')]"
                        },
                        "dcraName": {
                        "value": "[variables('dcraName')]"
                        }
                      },
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          "location": {
                            "type": "string"
                          },
                          "vmName": {
                            "type": "string"
                          },
                          "dcrId": {
                            "type": "string"
                          },
                          "dcraName": {
                            "type": "string"
                          }
                        },
                        "variables": {
                          
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                          "name": "[parameters('dcraName')]",
                            "apiVersion": "2019-11-01-preview",
                            "properties": {
                              "description": "Association of data collection rule for Azure Security Center. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
                            "dataCollectionRuleId": "[parameters('dcrId')]"
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1537496a-b1e8-482b-a06a-1cc2415cdc7b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1537496a-b1e8-482b-a06a-1cc2415cdc7b"
}