last sync: 2021-May-17 14:22:45 UTC

Azure Policy definition

Deploy Workflow Automation for Azure Security Center regulatory compliance

Name Deploy Workflow Automation for Azure Security Center regulatory compliance
Azure Portal
Id 509122b9-ddd9-47ba-a5f1-d0dac20be63c
Version 3.0.0
details on versioning
Category Security Center
Microsoft docs
Description Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: deployIfNotExists
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-02-17 14:28:42 change Major (2.0.0 > 3.0.0)
2021-02-03 15:09:01 add 509122b9-ddd9-47ba-a5f1-d0dac20be63c
Used in Initiatives none
JSON Changes

JSON
{
  "properties": {
    "displayName": "Deploy Workflow Automation for Azure Security Center regulatory compliance",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "3.0.0",
      "category": "Security Center",
      "preview ": true
    },
    "parameters": {
      "automationName": {
        "type": "String",
        "metadata": {
          "displayName": "Automation name",
          "description": "This is the automation name."
        }
      },
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the workflow automation are created.",
          "strongType": "location"
        }
      },
      "regulatoryComplianceStandards": {
        "type": "Array",
        "metadata": {
          "displayName": "Compliance standards names",
          "description": "For all compliance standards, leave it empty. For specific compliance standards, enter a list of standards names separated by semicolons (';'). Compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
        },
        "defaultValue": [
          
        ]
      },
      "regulatoryComplianceControlStates": {
        "type": "Array",
        "metadata": {
          "displayName": "Compliance control states",
          "description": "Determines compliance control states."
        },
        "allowedValues": [
          "Failed",
          "Passed",
          "Skipped",
          "Unsupported"
        ],
        "defaultValue": [
          "Failed",
          "Passed",
          "Skipped",
          "Unsupported"
        ]
      },
      "logicAppResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Logic App",
          "description": "The Logic App that is triggered.",
          "strongType": "Microsoft.Logic/workflows",
          "assignPermissions": true
        }
      },
      "logicAppTrigger": {
        "type": "String",
        "metadata": {
          "displayName": "Logic app trigger",
          "description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center regulatory compliance assessment is created or triggered'."
        },
        "allowedValues": [
          "Manual (Incoming HTTP request)",
          "When an Azure Security Center regulatory compliance assessment is created or triggered"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
        "name": "[parameters('automationName')]",
          "existenceScope": "resourcegroup",
        "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Security/automations/isEnabled",
                "equals": true
              },
              {
                "anyOf": [
                  {
                    "allOf": [
                      {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets",
                        "exists": false
                      },
                      {
                      "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "equals": 0
                      },
                      {
                      "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "equals": 4
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                      "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "equals": 0
                      },
                      {
                      "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "less": 4
                      },
                      {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                      "in": "[parameters('regulatoryComplianceControlStates')]"
                      },
                      {
                        "count": {
                        "value": "[parameters('regulatoryComplianceControlStates')]",
                          "name": "regulatoryComplianceControlState",
                          "where": {
                            "count": {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                              "where": {
                                "allOf": [
                                  {
                                  "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                                    "equals": "properties.state"
                                  },
                                  {
                                  "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                                  "equals": "[current('regulatoryComplianceControlState')]"
                                  }
                                ]
                              }
                            },
                            "equals": 1
                          }
                        },
                      "equals": "[length(parameters('regulatoryComplianceControlStates'))]"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                      "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "notEquals": 0
                      },
                      {
                      "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "equals": 4
                      },
                      {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                      "in": "[parameters('regulatoryComplianceStandards')]"
                      },
                      {
                        "count": {
                        "value": "[parameters('regulatoryComplianceStandards')]",
                          "name": "regulatoryComplianceStandard",
                          "where": {
                            "count": {
                            "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]",
                              "where": {
                                "allOf": [
                                  {
                                  "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].propertyJPath",
                                    "equals": "id"
                                  },
                                  {
                                  "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                                  "equals": "[current('regulatoryComplianceStandard')]"
                                  }
                                ]
                              }
                            },
                            "equals": 1
                          }
                        },
                      "equals": "[length(parameters('regulatoryComplianceStandards'))]"
                      }
                    ]
                  },
                  {
                    "allOf": [
                      {
                      "value": "[length(parameters('regulatoryComplianceStandards'))]",
                        "notEquals": 0
                      },
                      {
                      "value": "[length(parameters('regulatoryComplianceControlStates'))]",
                        "notEquals": 4
                      },
                      {
                      "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*].expectedValue",
                      "in": "[union(parameters('regulatoryComplianceStandards'),parameters('regulatoryComplianceControlStates'))]"
                      },
                      {
                        "count": {
                        "field": "Microsoft.Security/automations/sources[*].ruleSets[*].rules[*]"
                        },
                      "equals": "[mul(2,mul(length(parameters('regulatoryComplianceStandards')),length(parameters('regulatoryComplianceControlStates'))))]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "automationName": {
                    "type": "string"
                  },
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "regulatoryComplianceStandards": {
                    "type": "array"
                  },
                  "regulatoryComplianceControlStates": {
                    "type": "array"
                  },
                  "logicAppResourceId": {
                    "type": "string"
                  },
                  "logicAppTrigger": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                  "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                "scopeDescription": "scope for subscription {0}",
                "regulatoryComplianceStandardsLength": "[length(parameters('regulatoryComplianceStandards'))]",
                "regulatoryComplianceControlStatesLength": "[length(parameters('regulatoryComplianceControlStates'))]",
                "regulatoryComplianceStandardsLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsLength'), 0), 1, variables('regulatoryComplianceStandardsLength'))]",
                "regulatoryComplianceControlStatesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceControlStatesLength'), 0), 1, variables('regulatoryComplianceControlStatesLength'))]",
                  "stateMap": {
                    "Failed": "failed",
                    "Passed": "passed",
                    "Skipped": "skipped",
                    "Unsupported": "unsupported"
                  },
                  "triggerMap": {
                    "Manual (Incoming HTTP request)": "manual",
                    "When an Azure Security Center regulatory compliance assessment is created or triggered": "When_a_Security_Center_Regulatory_Compliance_Assessment_is_created_or_triggered"
                  },
                "doesAllStatesSelected": "[if(equals(length(parameters('regulatoryComplianceControlStates')),length(variables('stateMap'))),bool('true'),bool('false'))]",
                "doesAllStandardsSelected": "[if(equals(variables('regulatoryComplianceStandardsLength'),0),bool('true'),bool('false'))]",
                  "allRegulatoryComplianceRuleSets": [
                    
                  ],
                  "customStandardsOrCustomStateRuleSets": {
                    "copy": [
                      {
                        "name": "customStandardsOrCustomStateRuleSetsArr",
                      "count": "[if(not(variables('doesAllStandardsSelected')),variables('regulatoryComplianceStandardsLength'),if(not(variables('doesAllStatesSelected')),variables('regulatoryComplianceControlStatesLength'),1))]",
                        "input": {
                          "rules": [
                            {
                            "propertyJPath": "[if(not(variables('doesAllStandardsSelected')),'id',if(not(variables('doesAllStatesSelected')),'properties.state',json('null')))]",
                              "propertyType": "string",
                            "expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[copyIndex('customStandardsOrCustomStateRuleSetsArr')],json('null')))]",
                            "operator": "[if(not(variables('doesAllStandardsSelected')),'Contains',if(not(variables('doesAllStatesSelected')),'Equals',json('null')))]"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "customStandardsAndCustomStateRuleSets": {
                    "copy": [
                      {
                        "name": "customStandardsAndCustomStateRuleSetsArr",
                      "count": "[if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),mul(variables('regulatoryComplianceStandardsLength'),variables('regulatoryComplianceControlStatesLength')),1)]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "id",
                              "propertyType": "string",
                            "expectedValue": "[if(not(variables('doesAllStandardsSelected')),parameters('regulatoryComplianceStandards')[mod(div(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength')), variables('regulatoryComplianceStandardsLength'))],json('null'))]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.state",
                              "propertyType": "string",
                            "expectedValue": "[if(not(variables('doesAllStatesSelected')),parameters('regulatoryComplianceControlStates')[mod(copyIndex('customStandardsAndCustomStateRuleSetsArr'), variables('regulatoryComplianceControlStatesLength'))],json('null'))]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                "sourceRuleSets": "[if(and(variables('doesAllStandardsSelected'),variables('doesAllStatesSelected')),variables('allRegulatoryComplianceRuleSets'),if(and(not(variables('doesAllStandardsSelected')),not(variables('doesAllStatesSelected'))),variables('customStandardsAndCustomStateRuleSets').customStandardsAndCustomStateRuleSetsArr,variables('customStandardsOrCustomStateRuleSets').customStandardsOrCustomStateRuleSetsArr))]"
                },
                "resources": [
                  {
                  "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                  "location": "[parameters('resourceGroupLocation')]",
                    "tags": {
                      
                    },
                    "properties": {
                      
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                  "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                  "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                    "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          
                        },
                        "variables": {
                          
                        },
                        "resources": [
                          {
                            "tags": {
                              
                            },
                            "apiVersion": "2019-01-01-preview",
                          "location": "[parameters('resourceGroupLocation')]",
                          "name": "[parameters('automationName')]",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [
                              
                            ],
                            "properties": {
                              "description": "Workflow Automation for Azure Security Center recommendations via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                "scopePath": "[subscription().id]"
                                }
                              ],
                              "sources": [
                                {
                                  "eventSource": "RegulatoryComplianceAssessment",
                                "ruleSets": "[variables('sourceRuleSets')]"
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "LogicApp",
                                "logicAppResourceId": "[parameters('logicAppResourceId')]",
                                "uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "automationName": {
                "value": "[parameters('automationName')]"
                },
                "resourceGroupName": {
                "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                "value": "[parameters('resourceGroupLocation')]"
                },
                "regulatoryComplianceStandards": {
                "value": "[parameters('regulatoryComplianceStandards')]"
                },
                "regulatoryComplianceControlStates": {
                "value": "[parameters('regulatoryComplianceControlStates')]"
                },
                "logicAppResourceId": {
                "value": "[parameters('logicAppResourceId')]"
                },
                "logicAppTrigger": {
                "value": "[parameters('logicAppTrigger')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/509122b9-ddd9-47ba-a5f1-d0dac20be63c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "509122b9-ddd9-47ba-a5f1-d0dac20be63c"
}