last sync: 2020-Sep-18 14:08:07 UTC

Azure Policy

Deploy export to Event Hub for Azure Security Center alerts and recommendations

Policy DisplayName Deploy export to Event Hub for Azure Security Center alerts and recommendations
Policy Id cdfcce10-4578-4ecd-9703-530938e4abcb
Policy Category Security Center
Policy Description Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Fixed: deployIfNotExists
Roles used
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-05-29 15:39:09 add: Policy cdfcce10-4578-4ecd-9703-530938e4abcb
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Deploy export to Event Hub for Azure Security Center alerts and recommendations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the export to Event Hub configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Event Hub configured."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the export to Event Hub configuration are created.",
          "strongType": "location"
        }
      },
      "exportedDataTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Exported data types",
          "description": "The data types to be exported. Example: Security recommendations;Security alerts;"
        },
        "allowedValues": [
          "Security recommendations",
          "Security alerts"
        ],
        "defaultValue": [
          "Security recommendations",
          "Security alerts"
        ]
      },
      "recommendationNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation IDs",
          "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/assessments."
        },
        "defaultValue": [
          
        ]
      },
      "recommendationSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation severities",
          "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "alertSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Alert severities",
          "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "eventHubDetails": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub details",
          "description": "The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim. If you do not already have an event hub, visit Event Hubs to create one (https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces).",
          "strongType": "Microsoft.EventHub/namespaces/eventhubs/authorizationrules",
          "assignPermissions": true
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "exportToEventHub",
          "existenceScope": "resourcegroup",
        "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "exportedDataTypes": {
                    "type": "array"
                  },
                  "recommendationNames": {
                    "type": "array"
                  },
                  "recommendationSeverities": {
                    "type": "array"
                  },
                  "alertSeverities": {
                    "type": "array"
                  },
                  "eventHubDetails": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                  "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                "scopeDescription": "scope for subscription {0}",
                "recommendationNamesLength": "[length(parameters('recommendationNames'))]",
                "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]",
                "alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
                "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]",
                "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]",
                "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
                "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]",
                  "totalRuleCombinationsForOneRecommendationSeverity": 1,
                "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]",
                "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]",
                "SeperatedEventHubDetails": "[split(parameters('eventHubDetails'),'/')]",
                  "dataTypeMap": {
                    "Security recommendations": "Assessments",
                    "Security alerts": "Alerts"
                  },
                  "alertSeverityMap": {
                    "High": "high",
                    "Medium": "medium",
                    "Low": "low"
                  },
                  "ruleSetsForAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAssessmentsArr",
                      "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]",
                        "input": {
                          "rules": [
                            {
                            "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]",
                              "propertyType": "string",
                            "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.metadata.severity",
                              "propertyType": "string",
                            "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForAlertsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAlertsArr",
                      "count": "[variables('alertSeveritiesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "Severity",
                              "propertyType": "string",
                            "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  }
                },
                "resources": [
                  {
                  "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                  "location": "[parameters('resourceGroupLocation')]",
                    "tags": {
                      
                    },
                    "properties": {
                      
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                  "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                  "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                    "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          
                        },
                        "variables": {
                          
                        },
                        "resources": [
                          {
                            "tags": {
                              
                            },
                            "apiVersion": "2019-01-01-preview",
                          "location": "[parameters('resourceGroupLocation')]",
                            "name": "exportToEventHub",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [
                              
                            ],
                            "properties": {
                              "description": "Export Azure Security Center alerts and/or recommendations to Event Hub via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                "scopePath": "[subscription().id]"
                                }
                              ],
                              "copy": [
                                {
                                  "name": "sources",
                                "count": "[variables('exportedDataTypesLengthIfEmpty')]",
                                  "input": {
                                  "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]",
                                  "ruleSets": "[if(equals(parameters('exportedDataTypes')[copyIndex('sources')], 'Security recommendations'), variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr, variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr)]"
                                  }
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "EventHub",
                                "eventHubResourceId": "[concat('/', variables('SeperatedEventHubDetails')[1], '/', variables('SeperatedEventHubDetails')[2], '/', variables('SeperatedEventHubDetails')[3], '/', variables('SeperatedEventHubDetails')[4], '/', variables('SeperatedEventHubDetails')[5], '/', variables('SeperatedEventHubDetails')[6], '/', variables('SeperatedEventHubDetails')[7], '/', variables('SeperatedEventHubDetails')[8], '/', variables('SeperatedEventHubDetails')[9], '/', variables('SeperatedEventHubDetails')[10])]",
                                "connectionString": "[listkeys(parameters('eventHubDetails'),'2017-04-01').primaryConnectionString]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceGroupName": {
                "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                "value": "[parameters('resourceGroupLocation')]"
                },
                "exportedDataTypes": {
                "value": "[parameters('exportedDataTypes')]"
                },
                "recommendationNames": {
                "value": "[parameters('recommendationNames')]"
                },
                "recommendationSeverities": {
                "value": "[parameters('recommendationSeverities')]"
                },
                "alertSeverities": {
                "value": "[parameters('alertSeverities')]"
                },
                "eventHubDetails": {
                "value": "[parameters('eventHubDetails')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cdfcce10-4578-4ecd-9703-530938e4abcb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cdfcce10-4578-4ecd-9703-530938e4abcb"
}