last sync: 2021-Nov-26 17:15:01 UTC

Azure Policy definition

[Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent

Name [Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent
Azure Portal
Id 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28
Version 4.0.0-preview
details on versioning
Category Security Center
Microsoft docs
Description Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-11-12 16:23:07 change Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)
2021-09-27 15:52:17 change Major, suffix remains equal (1.1.0-preview > 3.0.0-preview)
2021-09-13 16:35:32 change Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
2021-06-22 14:29:30 add 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines a15f3269-2e10-458c-87a4-d5989e678a73 Monitoring Preview
JSON Changes

JSON
{
  "displayName": "[Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location.",
  "metadata": {
    "category": "Security Center",
    "version": "4.0.0-preview",
    "preview": true
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "location",
          "in": [
            "australiacentral",
            "australiaeast",
            "australiasoutheast",
            "canadacentral",
            "centralindia",
            "centralus",
            "eastasia",
            "eastus2euap",
            "eastus",
            "eastus2",
            "francecentral",
            "germanywestcentral",
            "japaneast",
            "koreacentral",
            "northcentralus",
            "northeurope",
            "southafricanorth",
            "southcentralus",
            "southeastasia",
            "switzerlandnorth",
            "uksouth",
            "ukwest",
            "westcentralus",
            "westeurope",
            "westus",
            "westus2"
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Insights/dataCollectionRules",
        "deploymentScope": "subscription",
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "existenceScope": "subscription",
        "existenceCondition": {
          "allOf": [
            {
              "field": "location",
              "equals": "[field('location')]"
            },
            {
              "field": "name",
              "equals": "[concat('Microsoft-Security-', field('location'), '-dcr')]"
            }
          ]
        },
        "deployment": {
          "location": "eastus",
          "properties": {
            "mode": "incremental",
            "parameters": {
              "resourceGroup": {
                "value": "[resourceGroup().name]"
              },
              "location": {
                "value": "[field('location')]"
              },
              "vmName": {
                "value": "[field('name')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "resourceGroup": {
                  "type": "string"
                },
                "location": {
                  "type": "string"
                },
                "vmName": {
                  "type": "string"
                }
              },
              "variables": {
                "locationLongNameToShortMap": {
                  "australiacentral": "CAU",
                  "australiaeast": "EAU",
                  "australiasoutheast": "SEAU",
                  "brazilsouth": "CQ",
                  "canadacentral": "CCA",
                  "centralindia": "CIN",
                  "centralus": "CUS",
                  "eastasia": "EA",
                  "eastus2euap": "eus2p",
                  "eastus": "EUS",
                  "eastus2": "EUS2",
                  "francecentral": "PAR",
                  "germanywestcentral": "DEWC",
                  "japaneast": "EJP",
                  "koreacentral": "SE",
                  "northcentralus": "NCUS",
                  "northeurope": "NEU",
                  "norwayeast": "NOE",
                  "southcentralus": "SCUS",
                  "southeastasia": "SEA",
                  "switzerlandnorth": "CHN",
                  "switzerlandwest": "CHW",
                  "southafricanorth": "JNB",
                  "swedencentral": "SEC",
                  "uaenorth": "DXB",
                  "uksouth": "SUK",
                  "ukwest": "WUK",
                  "westcentralus": "WCUS",
                  "westeurope": "WEU",
                  "westus": "WUS",
                  "westus2": "WUS2"
                },
                "locationCode": "[variables('locationLongNameToShortMap')[parameters('location')]]",
                "subscriptionId": "[subscription().subscriptionId]",
                "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
                "defaultRGLocation": "[parameters('location')]",
                "workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
                "dcrName": "[concat('Microsoft-Security-', parameters('location'), '-dcr')]",
                "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
                "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
                "deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
                "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
              },
              "resources": [
                {
                  "type": "Microsoft.Resources/resourceGroups",
                  "name": "[variables('defaultRGName')]",
                  "apiVersion": "2019-05-01",
                  "location": "[variables('defaultRGLocation')]"
                },
                {
                  "type": "Microsoft.Resources/deployments",
                  "name": "[variables('deployDefaultAscResourceGroup')]",
                  "apiVersion": "2020-06-01",
                  "resourceGroup": "[variables('defaultRGName')]",
                  "properties": {
                    "mode": "Incremental",
                    "expressionEvaluationOptions": {
                      "scope": "inner"
                    },
                    "parameters": {
                      "defaultRGLocation": {
                        "value": "[variables('defaultRGLocation')]"
                      },
                      "workspaceName": {
                        "value": "[variables('workspaceName')]"
                      },
                      "dcrName": {
                        "value": "[variables('dcrName')]"
                      }
                    },
                    "template": {
                      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                      "contentVersion": "1.0.0.0",
                      "parameters": {
                        "defaultRGLocation": {
                          "type": "string"
                        },
                        "workspaceName": {
                          "type": "string"
                        },
                        "dcrName": {
                          "type": "string"
                        }
                      },
                      "variables": {
                        "securityCenterFreeSolution": {
                          "Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
                          "GalleryName": "SecurityCenterFree"
                        }
                      },
                      "resources": [
                        {
                          "type": "Microsoft.OperationalInsights/workspaces",
                          "name": "[parameters('workspaceName')]",
                          "apiVersion": "2015-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                          "properties": {
                            "sku": {
                              "name": "pernode"
                            },
                            "retentionInDays": 30,
                            "features": {
                              "searchVersion": 1
                            }
                          }
                        },
                        {
                          "type": "Microsoft.OperationsManagement/solutions",
                          "name": "[variables('securityCenterFreeSolution').Name]",
                          "apiVersion": "2015-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                          "dependsOn": [
                            "[parameters('workspaceName')]"
                          ],
                          "properties": {
                            "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                          },
                          "plan": {
                            "name": "[variables('securityCenterFreeSolution').Name]",
                            "publisher": "Microsoft",
                            "product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
                            "promotionCode": ""
                          }
                        },
                        {
                          "type": "Microsoft.Insights/dataCollectionRules",
                          "name": "[parameters('dcrName')]",
                          "apiVersion": "2019-11-01-preview",
                          "location": "[parameters('defaultRGLocation')]",
                          "dependsOn": [
                            "[parameters('workspaceName')]"
                          ],
                          "properties": {
                            "description": "Data collection rule for Azure Security Center. Deleting this rule will break the detection of security vulnerabilities.",
                            "dataSources": {
                              "extensions": [
                                {
                                  "extensionName": "AzureSecurityLinuxAgent",
                                  "name": "AscLinuxDataSource",
                                  "streams": [
                                    "Microsoft-OperationLog",
                                    "Microsoft-ProtectionStatus",
                                    "Microsoft-SecurityBaseline",
                                    "Microsoft-SecurityBaselineSummary"
                                  ],
                                  "extensionSettings": {
                                    "scanners": [
                                      {
                                        "name": "heartbeat",
                                        "frequency": "PT1H"
                                      },
                                      {
                                        "name": "time",
                                        "frequency": "PT8H"
                                      },
                                      {
                                        "name": "antimalware",
                                        "frequency": "PT8H"
                                      },
                                      {
                                        "name": "codeintegrity",
                                        "frequency": "P1D"
                                      },
                                      {
                                        "name": "processinvestigator",
                                        "frequency": "PT1H"
                                      },
                                      {
                                        "name": "baseline",
                                        "frequency": "P1D"
                                      },
                                      {
                                        "name": "docker",
                                        "frequency": "P1D"
                                      }
                                    ]
                                  }
                                },
                                {
                                  "extensionName": "AzureSecurityWindowsAgent",
                                  "name": "AsaWindowsDataSource",
                                  "streams": [
                                    "Microsoft-OperationLog",
                                    "Microsoft-ProtectionStatus",
                                    "Microsoft-SecurityBaseline",
                                    "Microsoft-SecurityBaselineSummary"
                                  ],
                                  "extensionSettings": {
                                    "scanners": [
                                      {
                                        "name": "heartbeat",
                                        "frequency": "PT1H"
                                      },
                                      {
                                        "name": "baseline",
                                        "frequency": "P1D"
                                      },
                                      {
                                        "name": "antimalware",
                                        "frequency": "P1D"
                                      },
                                      {
                                        "name": "processinvestigator",
                                        "frequency": "PT1H"
                                      }
                                    ]
                                  }
                                }
                              ]
                            },
                            "destinations": {
                              "logAnalytics": [
                                {
                                  "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                                  "name": "LogAnalyticsDest"
                                }
                              ]
                            },
                            "dataFlows": [
                              {
                                "streams": [
                                  "Microsoft-OperationLog",
                                  "Microsoft-ProtectionStatus",
                                  "Microsoft-SecurityBaseline",
                                  "Microsoft-SecurityBaselineSummary"
                                ],
                                "destinations": [
                                  "LogAnalyticsDest"
                                ]
                              }
                            ]
                          }
                        }
                      ]
                    }
                  },
                  "dependsOn": [
                    "[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
                  ]
                },
                {
                  "type": "Microsoft.Resources/deployments",
                  "name": "[variables('deployDataCollectionRulesAssociation')]",
                  "apiVersion": "2020-06-01",
                  "resourceGroup": "[parameters('resourceGroup')]",
                  "dependsOn": [
                    "[variables('deployDefaultAscResourceGroup')]"
                  ],
                  "properties": {
                    "mode": "Incremental",
                    "expressionEvaluationOptions": {
                      "scope": "inner"
                    },
                    "parameters": {
                      "location": {
                        "value": "[parameters('location')]"
                      },
                      "vmName": {
                        "value": "[parameters('vmName')]"
                      },
                      "dcrId": {
                        "value": "[variables('dcrId')]"
                      },
                      "dcraName": {
                        "value": "[variables('dcraName')]"
                      }
                    },
                    "template": {
                      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                      "contentVersion": "1.0.0.0",
                      "parameters": {
                        "location": {
                          "type": "string"
                        },
                        "vmName": {
                          "type": "string"
                        },
                        "dcrId": {
                          "type": "string"
                        },
                        "dcraName": {
                          "type": "string"
                        }
                      },
                      "variables": {},
                      "resources": [
                        {
                          "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                          "name": "[parameters('dcraName')]",
                          "apiVersion": "2019-11-01-preview",
                          "properties": {
                            "description": "Association of data collection rule for Azure Security Center. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
                            "dataCollectionRuleId": "[parameters('dcrId')]"
                          }
                        }
                      ]
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  }
}