last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations

Name Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations
Azure Portal
Id ffb6f416-7bd2-4488-8828-56585fef2be9
Version 1.0.0
details on versioning
Category Security Center
Microsoft docs
Description Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: deployIfNotExists
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-05-29 15:39:09 add ffb6f416-7bd2-4488-8828-56585fef2be9
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "resourceGroupName": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name",
          "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured."
        }
      },
      "resourceGroupLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group location",
          "description": "The location where the resource group and the export to Log Analytics workspace configuration are created.",
          "strongType": "location"
        }
      },
      "exportedDataTypes": {
        "type": "Array",
        "metadata": {
          "displayName": "Exported data types",
          "description": "The data types to be exported. Example: Security recommendations;Security alerts;"
        },
        "allowedValues": [
          "Security recommendations",
          "Security alerts"
        ],
        "defaultValue": [
          "Security recommendations",
          "Security alerts"
        ]
      },
      "recommendationNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation IDs",
          "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/assessments."
        },
        "defaultValue": [
          
        ]
      },
      "recommendationSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Recommendation severities",
          "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "alertSeverities": {
        "type": "Array",
        "metadata": {
          "displayName": "Alert severities",
          "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;"
        },
        "allowedValues": [
          "High",
          "Medium",
          "Low"
        ],
        "defaultValue": [
          "High",
          "Medium",
          "Low"
        ]
      },
      "workspaceResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "The Log Analytics workspace of where the data should be exported to. If you do not already have a log analytics workspace, visit Log Analytics workspaces to create one (https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces).",
          "strongType": "Microsoft.OperationalInsights/workspaces",
          "assignPermissions": true
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Security/automations",
          "name": "ExportToWorkspace",
          "existenceScope": "resourcegroup",
        "ResourceGroupName": "[parameters('resourceGroupName')]",
          "deploymentScope": "subscription",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "location": "westeurope",
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceGroupName": {
                    "type": "string"
                  },
                  "resourceGroupLocation": {
                    "type": "string"
                  },
                  "exportedDataTypes": {
                    "type": "array"
                  },
                  "recommendationNames": {
                    "type": "array"
                  },
                  "recommendationSeverities": {
                    "type": "array"
                  },
                  "alertSeverities": {
                    "type": "array"
                  },
                  "workspaceResourceId": {
                    "type": "string"
                  },
                  "guidValue": {
                    "type": "string",
                  "defaultValue": "[newGuid()]"
                  }
                },
                "variables": {
                "scopeDescription": "scope for subscription {0}",
                "recommendationNamesLength": "[length(parameters('recommendationNames'))]",
                "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]",
                "alertSeveritiesLength": "[length(parameters('alertSeverities'))]",
                "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]",
                "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]",
                "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]",
                "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]",
                  "totalRuleCombinationsForOneRecommendationSeverity": 1,
                "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]",
                "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]",
                  "dataTypeMap": {
                    "Security recommendations": "Assessments",
                    "Security alerts": "Alerts"
                  },
                  "alertSeverityMap": {
                    "High": "high",
                    "Medium": "medium",
                    "Low": "low"
                  },
                  "ruleSetsForAssessmentsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAssessmentsArr",
                      "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]",
                        "input": {
                          "rules": [
                            {
                            "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]",
                              "propertyType": "string",
                            "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]",
                              "operator": "Contains"
                            },
                            {
                              "propertyJPath": "properties.metadata.severity",
                              "propertyType": "string",
                            "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                  "ruleSetsForAlertsObj": {
                    "copy": [
                      {
                        "name": "ruleSetsForAlertsArr",
                      "count": "[variables('alertSeveritiesLengthIfEmpty')]",
                        "input": {
                          "rules": [
                            {
                              "propertyJPath": "Severity",
                              "propertyType": "string",
                            "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]",
                              "operator": "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  }
                },
                "resources": [
                  {
                  "name": "[parameters('resourceGroupName')]",
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2019-10-01",
                  "location": "[parameters('resourceGroupLocation')]",
                    "tags": {
                      
                    },
                    "properties": {
                      
                    }
                  },
                  {
                    "type": "Microsoft.Resources/deployments",
                    "apiVersion": "2019-10-01",
                  "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]",
                  "resourceGroup": "[parameters('resourceGroupName')]",
                    "dependsOn": [
                    "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]"
                    ],
                    "properties": {
                      "mode": "Incremental",
                      "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          
                        },
                        "variables": {
                          
                        },
                        "resources": [
                          {
                            "tags": {
                              
                            },
                            "apiVersion": "2019-01-01-preview",
                          "location": "[parameters('resourceGroupLocation')]",
                            "name": "ExportToWorkspace",
                            "type": "Microsoft.Security/automations",
                            "dependsOn": [
                              
                            ],
                            "properties": {
                              "description": "Export Azure Security Center alerts and/or recommendations to Log Analytics workspace via policy",
                              "isEnabled": true,
                              "scopes": [
                                {
                                "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]",
                                "scopePath": "[subscription().id]"
                                }
                              ],
                              "copy": [
                                {
                                  "name": "sources",
                                "count": "[variables('exportedDataTypesLengthIfEmpty')]",
                                  "input": {
                                  "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]",
                                  "ruleSets": "[if(equals(parameters('exportedDataTypes')[copyIndex('sources')], 'Security recommendations'), variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr, variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr)]"
                                  }
                                }
                              ],
                              "actions": [
                                {
                                  "actionType": "Workspace",
                                "workspaceResourceId": "[parameters('workspaceResourceId')]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "resourceGroupName": {
                "value": "[parameters('resourceGroupName')]"
                },
                "resourceGroupLocation": {
                "value": "[parameters('resourceGroupLocation')]"
                },
                "exportedDataTypes": {
                "value": "[parameters('exportedDataTypes')]"
                },
                "recommendationNames": {
                "value": "[parameters('recommendationNames')]"
                },
                "recommendationSeverities": {
                "value": "[parameters('recommendationSeverities')]"
                },
                "alertSeverities": {
                "value": "[parameters('alertSeverities')]"
                },
                "workspaceResourceId": {
                "value": "[parameters('workspaceResourceId')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ffb6f416-7bd2-4488-8828-56585fef2be9"
}