|
Policy Rule
|
{
"properties": {
"displayName": "Deploy Workflow Automation for Azure Security Center alerts",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
"metadata": {
"version": "1.0.0",
"category": "Security Center"
},
"parameters": {
"automationName": {
"type": "String",
"metadata": {
"displayName": "Automation name",
"description": "This is the automation name."
}
},
"resourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource group name",
"description": "The resource group name where the workflow automation is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription."
}
},
"resourceGroupLocation": {
"type": "String",
"metadata": {
"displayName": "Resource group location",
"description": "The location where the resource group and the workflow automation are created.",
"strongType": "location"
}
},
"alertName": {
"type": "String",
"metadata": {
"displayName": "Alert name contains",
"description": "String included in the required alert name. For a full reference list of Security Center's alerts, see https://docs.microsoft.com/azure/security-center/alerts-reference."
},
"defaultValue": ""
},
"alertSeverities": {
"type": "Array",
"metadata": {
"displayName": "Alert severities",
"description": "Determines alert severities. Example: High;Medium;Low;"
},
"allowedValues": [
"High",
"Medium",
"Low"
],
"defaultValue": [
"High",
"Medium",
"Low"
]
},
"logicAppResourceId": {
"type": "String",
"metadata": {
"displayName": "Logic App",
"description": "The Logic App that is triggered. If you do not already have a logic app, visit Logic Apps to create one (https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Logic%2Fworkflows).",
"strongType": "Microsoft.Logic/workflows",
"assignPermissions": true
}
},
"logicAppTrigger": {
"type": "String",
"metadata": {
"displayName": "Logic app trigger",
"description": "The trigger connector of the logic app that is triggered. Possible values: 'Manual (Incoming HTTP request)', 'When an Azure Security Center Alert is created or triggered'."
},
"allowedValues": [
"Manual (Incoming HTTP request)",
"When an Azure Security Center Alert is created or triggered"
]
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Security/automations",
"name": "[parameters('automationName')]",
"existenceScope": "resourcegroup",
"ResourceGroupName": "[parameters('resourceGroupName')]",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"automationName": {
"type": "string"
},
"resourceGroupName": {
"type": "string"
},
"resourceGroupLocation": {
"type": "string"
},
"alertName": {
"type": "string"
},
"alertSeverities": {
"type": "array"
},
"logicAppResourceId": {
"type": "string"
},
"logicAppTrigger": {
"type": "string"
},
"guidValue": {
"type": "string",
"defaultValue": "[newGuid()]"
}
},
"variables": {
"scopeDescription": "scope for subscription {0}",
"alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
"alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
"severityMap": {
"High": "high",
"Medium": "medium",
"Low": "low"
},
"triggerMap": {
"Manual (Incoming HTTP request)": "manual",
"When an Azure Security Center Alert is created or triggered": "When_an_Azure_Security_Center_Alert_is_created_or_triggered"
}
},
"resources": [
{
"name": "[parameters('resourceGroupName')]",
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2019-10-01",
"location": "[parameters('resourceGroupLocation')]",
"tags": {
},
"properties": {
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
"resourceGroup": "[parameters('resourceGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
},
"resources": [
{
"tags": {
},
"apiVersion": "2019-01-01-preview",
"location": "[parameters('resourceGroupLocation')]",
"name": "[parameters('automationName')]",
"type": "Microsoft.Security/automations",
"dependsOn": [
],
"properties": {
"description": "Workflow Automation for Azure Security Center alerts via policy",
"isEnabled": true,
"scopes": [
{
"description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
"scopePath": "[subscription().id]"
}
],
"sources": [
{
"eventSource": "Alerts",
"copy": [
{
"name": "ruleSets",
"count": "[variables('alertSeveritiesLengthIfEmpty')]",
"input": {
"rules": [
{
"propertyJPath": "[if(equals(parameters('alertName'), ''), 'Version', 'AlertDisplayName')]",
"propertyType": "string",
"expectedValue": "[if(equals(parameters('alertName'), ''), '3.', parameters('alertName'))]",
"operator": "Contains"
},
{
"propertyJPath": "Severity",
"propertyType": "string",
"expectedValue": "[variables('severityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSets'), variables('alertSeveritiesLengthIfEmpty'))]]]",
"operator": "Equals"
}
]
}
}
]
}
],
"actions": [
{
"actionType": "LogicApp",
"logicAppResourceId": "[parameters('logicAppResourceId')]",
"uri": "[listCallbackUrl(concat(parameters('logicAppResourceId'), '/triggers/', variables('triggerMap')[parameters('logicAppTrigger')]),'2016-06-01').value]"
}
]
}
}
]
}
}
}
]
},
"parameters": {
"automationName": {
"value": "[parameters('automationName')]"
},
"resourceGroupName": {
"value": "[parameters('resourceGroupName')]"
},
"resourceGroupLocation": {
"value": "[parameters('resourceGroupLocation')]"
},
"alertName": {
"value": "[parameters('alertName')]"
},
"alertSeverities": {
"value": "[parameters('alertSeverities')]"
},
"logicAppResourceId": {
"value": "[parameters('logicAppResourceId')]"
},
"logicAppTrigger": {
"value": "[parameters('logicAppTrigger')]"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/f1525828-9a90-4fcf-be48-268cdd02361e",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "f1525828-9a90-4fcf-be48-268cdd02361e"
}
|