[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

Azure BuiltIn Policy definition

Rows: 1-1 / 1

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 1

Initiative DisplayName

Initiative Id

Initiative Category

State

Type

polSet in AzUSGov

[Deprecated]: Configure machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

362ab02d-c362-417e-a525-45805d58e21d

Security Center

Deprecated

BuiltIn

unknown

Date/Time (UTC ymd) (i)

Change type

Change detail

2023-11-08 19:40:08

change

Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated)

2023-10-31 19:02:40

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated)

2022-08-09 17:24:03

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2022-06-07 16:30:19

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-02-11 18:30:22

add

3b1a8e0a-b2e1-48be-9365-28be2fbef550

{

displayName: "[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent",
policyType: "BuiltIn",
mode: "Indexed",
description: "This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.",
metadata: {3 items
- category: "Security Center",
- version: "1.2.1-deprecated",
- deprecated: true
},
parameters: {1 item
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Effect",
    - description: "Enable or disable the execution of the policy"
    },
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ],
  - defaultValue: "DeployIfNotExists"
  }
},
policyRule: {2 items
- if: {1 item
  - allOf: [2 items
    - {2 items
      - field: "type",
      - equals: "Microsoft.HybridCompute/machines"
      },
    - {2 items
      - field: "location",
      - in: [35 items
        "australiacentral",
        "australiaeast",
        "australiasoutheast",
        "brazilsouth",
        "canadacentral",
        "canadaeast",
        "centralindia",
        "centralus",
        "eastasia",
        "eastus2euap",
        "eastus",
        "eastus2",
        "francecentral",
        "germanywestcentral",
        "japaneast",
        "japanwest",
        "jioindiawest",
        "koreacentral",
        "koreasouth",
        "northcentralus",
        "northeurope",
        "norwayeast",
        "southafricanorth",
        "southcentralus",
        "southeastasia",
        "southindia",
        "switzerlandnorth",
        "uaenorth",
        "uksouth",
        "ukwest",
        "westcentralus",
        "westeurope",
        "westindia",
        "westus",
        "westus2"
        ]
      }
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {6 items
    - type: "Microsoft.Insights/dataCollectionRules",
    - deploymentScope: "subscription",
    - roleDefinitionIds: [1 item
      - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor
      ],
    - existenceScope: "subscription",
    - existenceCondition: {1 item
      - allOf: [2 items
        {2 items
        field: "location",
        equals: "[field('location')]"
        },
        {2 items
        field: "name",
        equals: 🔍"[ concat( 'Microsoft-Security-', field('location'), '-dcr' ) ]"
        }
        ]
      },
    - deployment: {2 items
      - location: "eastus",
      - properties: {3 items
        mode: "incremental",
        parameters: {3 items
        resourceGroup: {1 item
        value: "[resourceGroup().name]"
        },
        location: {1 item
        value: "[field('location')]"
        },
        vmName: {1 item
        value: "[field('name')]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {3 items
        resourceGroup: {1 item
        type: "string"
        },
        location: {1 item
        type: "string"
        },
        vmName: {1 item
        type: "string"
        }
        },
        variables: {11 items
        locationLongNameToShortMap: {37 items
        australiacentral: "CAU",
        australiaeast: "EAU",
        australiasoutheast: "SEAU",
        brazilsouth: "CQ",
        canadacentral: "CCA",
        canadaeast: "CCA",
        centralindia: "CIN",
        centralus: "CUS",
        eastasia: "EA",
        eastus2euap: "eus2p",
        eastus: "EUS",
        eastus2: "EUS2",
        francecentral: "PAR",
        germanywestcentral: "DEWC",
        japaneast: "EJP",
        japanwest: "EJP",
        jioindiawest: "CIN",
        koreacentral: "SE",
        koreasouth: "SE",
        northcentralus: "NCUS",
        northeurope: "NEU",
        norwayeast: "NOE",
        southafricanorth: "JNB",
        southcentralus: "SCUS",
        southeastasia: "SEA",
        southindia: "CIN",
        swedencentral: "SEC",
        switzerlandnorth: "CHN",
        switzerlandwest: "CHW",
        uaenorth: "DXB",
        uksouth: "SUK",
        ukwest: "WUK",
        westcentralus: "WCUS",
        westeurope: "WEU",
        westindia: "CIN",
        westus: "WUS",
        westus2: "WUS2"
        },
        locationCode: "[variables('locationLongNameToShortMap')[parameters('location')]]",
        subscriptionId: "[subscription().subscriptionId]",
        defaultRGName: 🔍"[ concat( 'DefaultResourceGroup-', variables( 'locationCode' ) ) ]",
        defaultRGLocation: "[parameters('location')]",
        workspaceName: 🔍"[ concat( 'defaultWorkspace-', variables( 'subscriptionId' ), '-', variables( 'locationCode' ) ) ]",
        dcrName: 🔍"[ concat( 'Microsoft-Security-', parameters('location'), '-dcr' ) ]",
        dcrId: 🔍"[ concat( '/subscriptions/', variables( 'subscriptionId' ), '/resourceGroups/', variables( 'defaultRGName' ), '/providers/Microsoft.Insights/dataCollectionRules/', variables( 'dcrName' ) ) ]",
        dcraName: 🔍"[ concat( parameters('vmName'), '/Microsoft.Insights/Security-RulesAssociation' ) ]",
        deployDefaultAscResourceGroup: 🔍"[ concat( 'deployDefaultAscResourceGroup-', uniqueString( deployment().name ) ) ]",
        deployDataCollectionRulesAssociation: 🔍"[ concat( 'deployDataCollectionRulesAssociation-', uniqueString( deployment().name ) ) ]"
        },
        resources: [3 items
        {4 items
        type: "Microsoft.Resources/resourceGroups",
        name: "[variables('defaultRGName')]",
        apiVersion: "2019-05-01",
        location: "[variables('defaultRGLocation')]"
        },
        {6 items
        type: "Microsoft.Resources/deployments",
        name: "[variables('deployDefaultAscResourceGroup')]",
        apiVersion: "2020-06-01",
        resourceGroup: "[variables('defaultRGName')]",
        properties: {4 items
        mode: "Incremental",
        expressionEvaluationOptions: {1 item
        scope: "inner"
        },
        parameters: {3 items
        defaultRGLocation: {1 item
        value: "[variables('defaultRGLocation')]"
        },
        workspaceName: {1 item
        value: "[variables('workspaceName')]"
        },
        dcrName: {1 item
        value: "[variables('dcrName')]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {3 items
        defaultRGLocation: {1 item
        type: "string"
        },
        workspaceName: {1 item
        type: "string"
        },
        dcrName: {1 item
        type: "string"
        }
        },
        variables: {1 item
        securityCenterFreeSolution: {2 items
        Name: 🔍"[ Concat( 'SecurityCenterFree', '( ', parameters('workspaceName'), ' )' ) ]",
        GalleryName: "SecurityCenterFree"
        }
        },
        resources: [3 items
        {5 items
        type: "Microsoft.OperationalInsights/workspaces",
        name: "[parameters('workspaceName')]",
        apiVersion: "2021-06-01",
        location: "[parameters('defaultRGLocation')]",
        properties: {3 items
        sku: {1 item
        name: "pernode"
        },
        retentionInDays: 30,
        features: {1 item
        searchVersion: 1
        }
        }
        },
        {7 items
        type: "Microsoft.OperationsManagement/solutions",
        name: "[variables('securityCenterFreeSolution').Name]",
        apiVersion: "2015-11-01-preview",
        location: "[parameters('defaultRGLocation')]",
        dependsOn: [1 item
        "[parameters('workspaceName')]"
        ],
        properties: {1 item
        workspaceResourceId: 🔍"[ resourceId( 'Microsoft.OperationalInsights/workspaces/', parameters('workspaceName') ) ]"
        },
        plan: {4 items
        name: "[variables('securityCenterFreeSolution').Name]",
        publisher: "Microsoft",
        product: 🔍"[ Concat( 'OMSGallery/', variables( 'securityCenterFreeSolution' ).GalleryName ) ]",
        promotionCode: ""
        }
        },
        {6 items
        type: "Microsoft.Insights/dataCollectionRules",
        name: "[parameters('dcrName')]",
        apiVersion: "2021-04-01",
        location: "[parameters('defaultRGLocation')]",
        dependsOn: [1 item
        "[parameters('workspaceName')]"
        ],
        properties: {4 items
        description: "Data collection rule for Microsoft Defender for Cloud. Deleting this rule will break the detection of security vulnerabilities.",
        dataSources: {1 item
        extensions: [2 items
        {4 items
        extensionName: "AzureSecurityLinuxAgent",
        name: "AscLinuxDataSource",
        streams: [2 items
        "Microsoft-OperationLog",
        "Microsoft-ProtectionStatus"
        ],
        extensionSettings: {1 item
        scanners: [7 items
        {2 items
        name: "heartbeat",
        frequency: "PT1H"
        },
        {2 items
        name: "time",
        frequency: "PT8H"
        },
        {2 items
        name: "antimalware",
        frequency: "PT8H"
        },
        {2 items
        name: "codeintegrity",
        frequency: "P1D"
        },
        {2 items
        name: "processinvestigator",
        frequency: "PT1H"
        },
        {2 items
        name: "baseline",
        frequency: "P1D"
        },
        {2 items
        name: "docker",
        frequency: "P1D"
        }
        ]
        }
        },
        {4 items
        extensionName: "AzureSecurityWindowsAgent",
        name: "AsaWindowsDataSource",
        streams: [2 items
        "Microsoft-OperationLog",
        "Microsoft-ProtectionStatus"
        ],
        extensionSettings: {1 item
        scanners: [4 items
        {2 items
        name: "heartbeat",
        frequency: "PT1H"
        },
        {2 items
        name: "baseline",
        frequency: "P1D"
        },
        {2 items
        name: "antimalware",
        frequency: "P1D"
        },
        {2 items
        name: "processinvestigator",
        frequency: "PT1H"
        }
        ]
        }
        }
        ]
        },
        destinations: {1 item
        logAnalytics: [1 item
        {2 items
        workspaceResourceId: 🔍"[ resourceId( 'Microsoft.OperationalInsights/workspaces/', parameters('workspaceName') ) ]",
        name: "LogAnalyticsDest"
        }
        ]
        },
        dataFlows: [1 item
        {2 items
        streams: [2 items
        "Microsoft-OperationLog",
        "Microsoft-ProtectionStatus"
        ],
        destinations: [1 item
        "LogAnalyticsDest"
        ]
        }
        ]
        }
        }
        ]
        }
        },
        dependsOn: [1 item
        🔍"[ resourceId( 'Microsoft.Resources/resourceGroups', variables( 'defaultRGName' ) ) ]"
        ]
        },
        {6 items
        type: "Microsoft.Resources/deployments",
        name: "[variables('deployDataCollectionRulesAssociation')]",
        apiVersion: "2020-06-01",
        resourceGroup: "[parameters('resourceGroup')]",
        dependsOn: [1 item
        "[variables('deployDefaultAscResourceGroup')]"
        ],
        properties: {4 items
        mode: "Incremental",
        expressionEvaluationOptions: {1 item
        scope: "inner"
        },
        parameters: {4 items
        location: {1 item
        value: "[parameters('location')]"
        },
        vmName: {1 item
        value: "[parameters('vmName')]"
        },
        dcrId: {1 item
        value: "[variables('dcrId')]"
        },
        dcraName: {1 item
        value: "[variables('dcraName')]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {4 items
        location: {1 item
        type: "string"
        },
        vmName: {1 item
        type: "string"
        },
        dcrId: {1 item
        type: "string"
        },
        dcraName: {1 item
        type: "string"
        }
        },
        variables: {},
        resources: [1 item
        {4 items
        type: "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations",
        name: "[parameters('dcraName')]",
        apiVersion: "2021-04-01",
        properties: {2 items
        description: "Association of data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
        dataCollectionRuleId: "[parameters('dcrId')]"
        }
        }
        ]
        }
        }
        }
        ]
        }
        }
      }
    }
  }
}

}