| JSON |
{
"properties": {
"displayName": "Deploy Workflow Automation for Azure Security Center regulatory compliance",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
"metadata": {
"version": "3.0.0",
"category": "Security Center",
"preview ": true
},
"parameters": {
"automationName": {
"type": "String",
"metadata": {
"displayName": "Automation name",
"description": "This is the automation name."
}
},
"resourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource group name",
"description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
}
},
"resourceGroupLocation": {
"type": "String",
"metadata": {
"displayName": "Resource group location",
"description": "The location where the resource group and the workflow automation are created.",
"strongType": "location"
}
},
"regulatoryComplianceStandards": {
"type": "Array",
"metadata": {
"displayName": "Compliance standards names",
"description": "For all compliance standards, leave it empty. For specific compliance standards, enter a list of standards names separated by semicolons (';'). Compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
},
"defaultValue": [
]
},
"regulatoryComplianceControlStates": {
"type": "Array",
"metadata": {
"displayName": "Compliance control states",
"description": "Determines compliance control states."
},
"allowedValues": [
"Failed",
"Passed",
"Skipped",
"Unsupported"
],
"defaultValue": [
"Failed",
"Passed",
"Skipped",
"Unsupported"
]
},
"logicAppResourceId": {
"type": "String",
"metadata": {
"displayName": "Logic App",
"description": "The Logic App that is triggered.",
"strongType": "Microsoft.Logic/workflows",
"assignPermissions": true
}
},
"logicAppTrigger": {
"type": "String",
"metadata": {
"displayName": "Logic app trigger",
"description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center regulatory compliance assessment is created or triggered'."
},
"allowedValues": [
"Manual (Incoming HTTP request)",
"When an Azure Security Center regulatory compliance assessment is created or triggered"
]
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/automations",
"name": "[parameters('automationName')]",
"existenceScope": "resourcegroup",
"ResourceGroupName": "[parameters('resourceGroupName')]",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Security/automations/isEnabled",
"equals": true
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Security/automations/sources[*].ruleSets",
"exists": false
},
{
"value": "[length(parameters('regulatoryComplianceStandards'))]",
"equals": 0
},
{
"value": "[length(parameters('regulatoryComplianceControlStates'))]",
"equals": 4
}
]
},
{
"allOf": [
{
"value": "[length(parameters('regulatoryComplianceStandards'))]",
"equals": 0
},
{
"value": "[length(parameters('regulatoryComplianceControlStates'))]",
"less": 4
},
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
"in": "[parameters('regulatoryComplianceControlStates')]"
},
{
"count": {
"value": "[parameters('regulatoryComplianceControlStates')]",
"name": "regulatoryComplianceControlState",
"where": {
"count": {
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
"equals": "properties.state"
},
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
"equals": "[current('regulatoryComplianceControlState')]"
}
]
}
},
"equals": 1
}
},
"equals": "[length(parameters('regulatoryComplianceControlStates'))]"
}
]
},
{
"allOf": [
{
"value": "[length(parameters('regulatoryComplianceStandards'))]",
"notEquals": 0
},
{
"value": "[length(parameters('regulatoryComplianceControlStates'))]",
"equals": 4
},
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
"in": "[parameters('regulatoryComplianceStandards')]"
},
{
"count": {
"value": "[parameters('regulatoryComplianceStandards')]",
"name": "regulatoryComplianceStandard",
"where": {
"count": {
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
"equals": "id"
},
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
"equals": "[current('regulatoryComplianceStandard')]"
}
]
}
},
"equals": 1
}
},
"equals": "[length(parameters('regulatoryComplianceStandards'))]"
}
]
},
{
"allOf": [
{
"value": "[length(parameters('regulatoryComplianceStandards'))]",
"notEquals": 0
},
{
"value": "[length(parameters('regulatoryComplianceControlStates'))]",
"notEquals": 4
},
{
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
"in": "[union(parameters('regulatoryComplianceStandards'),parameters('regulatoryComplianceControlStates'))]"
},
{
"count": {
"field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]"
},
"equals": "[mul(2,mul(length(parameters('regulatoryComplianceStandards')),length(parameters('regulatoryComplianceControlStates'))))]"
}
]
}
]
}
]
},
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"automationName": {
"type": "string"
},
"resourceGroupName": {
"type": "string"
},
"resourceGroupLocation": {
"type": "string"
},
"regulatoryComplianceStandards": {
"type": "array"
},
"regulatoryComplianceControlStates": {
"type": "array"
},
"logicAppResourceId": {
"type": "string"
},
"logicAppTrigger": {
"type": "string"
},
"guidValue": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"variables": {
"scopeDescription": "scope for subscription {0}",
"regulatoryComplianceStandardsLength": "[length(parameters('regulatoryComplianceStandards'))]",
"regulatoryComplianceControlStatesLength": "[length(parameters('regulatoryComplianceControlStates'))]",
"regulatoryComplianceStandardsLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsLength'), 0), 1, variables('regulatoryComplianceStandardsLength'))]",
"regulatoryComplianceControlStatesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceControlStatesLength'), 0), 1, variables('regulatoryComplianceControlStatesLength'))]",
"stateMap": {
"Failed": "failed",
"Passed": "passed",
"Skipped": "skipped",
"Unsupported": "unsupported"
},
"triggerMap": {
"Manual (Incoming HTTP request)": "manual",
"When an Azure Security Center regulatory compliance assessment is created or triggered": "When_a_Security_Center_Regulatory_Compliance_Assessment_is_created_or_triggered"
},
"doesAllStatesSelected": "[if(equals(length(parameters('regulatoryComplianceControlStates')),length(variables('stateMap'))),bool('true'),bool('false'))]",
"doesAllStandardsSelected": "[if(equals(variables('regulatoryComplianceStandardsLength'),0),bool('true'),bool('false'))]",
"allRegulatoryComplianceRuleSets": [
],
"customStandardsOrCustomStateRuleSets": {
"copy": [
{
"name": "customStandardsOrCustomStateRuleSetsArr",
"count": "[if(not(variables('doesAllStandardsSelected')),variables('regulatoryComplianceStandardsLength'),if(not(variables('doesAllStatesSelected')),variables('regulatoryComplianceControlStatesLength'),1))]",
"input": {
"rules": [
{
"propertyJPath": "[if(not(variables('doesAllStandardsSelected')),'id',if(not(variables('doesAllStatesSelected')),'properties.state',json('null')))]",
"propertyType": "string",
"expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],json('null')))]",
"operator": "[if(not(variables('doesAllStandardsSelected')),'Contains',if(not(variables('doesAllStatesSelected')),'Equals',json('null')))]"
}
]
}
}
]
},
"customStandardsAndCustomStateRuleSets": {
"copy": [
{
"name": "customStandardsAndCustomStateRuleSetsArr",
"count": "[if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),mul(variables('regulatoryComplianceStandardsLength'),variables('regulatoryComplianceControlStatesLength')),1)]",
"input": {
"rules": [
{
"propertyJPath": "id",
"propertyType": "string",
"expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[mod(div(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength')), variables('regulatoryComplianceStandardsLength'))],json('null'))]",
"operator": "Contains"
},
{
"propertyJPath": "properties.state",
"propertyType": "string",
"expectedValue": "[if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[mod(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength'))],json('null'))]",
"operator": "Equals"
}
]
}
}
]
},
"sourceRuleSets": "[if(and(variables('doesAllStandardsSelected'),variables('doesAllStatesSelected')),variables('allRegulatoryComplianceRuleSets'),if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),variables('customStandardsAndCustomStateRuleSets').customStandardsAndCustomStateRuleSetsArr,variables('customStandardsOrCustomStateRuleSets').customStandardsOrCustomStateRuleSetsArr))]"
},
"resources": [
{
"name": "[parameters('resourceGroupName')]",
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"location": "[parameters('resourceGroupLocation')]",
"tags": {
},
"properties": {
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
"resourceGroup": "[parameters('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
},
"resources": [
{
"tags": {
},
"apiVersion": "2019-01-01-preview",
"location": "[parameters('resourceGroupLocation')]",
"name": "[parameters('automationName')]",
"type": "Microsoft.Security/automations",
"dependsOn": [
],
"properties": {
"description": "Workflow Automation for Azure Security Center recommendations via policy",
"isEnabled": true,
"scopes": [
{
"description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
"scopePath": "[subscription().id]"
}
],
"sources": [
{
"eventSource": "RegulatoryComplianceAssessment",
"ruleSets": "[variables('sourceRuleSets')]"
}
],
"actions": [
{
"actionType": "LogicApp",
"logicAppResourceId": "[parameters('logicAppResourceId')]",
"uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
}
]
}
}
]
}
}
}
]
},
"parameters": {
"automationName": {
"value": "[parameters('automationName')]"
},
"resourceGroupName": {
"value": "[parameters('resourceGroupName')]"
},
"resourceGroupLocation": {
"value": "[parameters('resourceGroupLocation')]"
},
"regulatoryComplianceStandards": {
"value": "[parameters('regulatoryComplianceStandards')]"
},
"regulatoryComplianceControlStates": {
"value": "[parameters('regulatoryComplianceControlStates')]"
},
"logicAppResourceId": {
"value": "[parameters('logicAppResourceId')]"
},
"logicAppTrigger": {
"value": "[parameters('logicAppTrigger')]"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/509122b9-ddd9-47ba-a5f1-d0dac20be63c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "509122b9-ddd9-47ba-a5f1-d0dac20be63c"
}
|