last sync: 2025-Aug-19 17:23:06 UTC
Monitoring
[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace
Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.
BuiltIn
False
2025-01-30
1.1.0-deprecated
1.1.0 (1.1.0-deprecated)
1.0.0-preview
1.0.0-preview
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
Deprecated
Indexed
allowed: 'deployIfNotExists', 'disabled'
default: 'disabled'
default: 'disabled'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Uses 17 Fx/Operator(s):
• concat()
• contains()
• deployment()
• field()
• if()
• length()
• lessOrEquals()
• listKeys()
• parameters()
• reference()
• resourceGroup()
• resourceId()
• sub()
• subscription()
• substring()
• uniqueString()
• variables()
• concat()
• contains()
• deployment()
• field()
• if()
• length()
• lessOrEquals()
• listKeys()
• parameters()
• reference()
• resourceGroup()
• resourceId()
• sub()
• subscription()
• substring()
• uniqueString()
• variables()
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.",
"metadata": {
"category": "Monitoring",
"version": "1.1.0-deprecated",
"deprecated": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/machines/osName",
"equals": "linux"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"deploymentScope": "subscription",
"type": "Microsoft.HybridCompute/machines/extensions",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.HybridCompute/machines/extensions/type",
"equals": "OmsAgentForLinux"
},
{
"field": "Microsoft.HybridCompute/machines/extensions/publisher",
"equals": "Microsoft.EnterpriseCloud.Monitoring"
},
{
"field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
"equals": "Succeeded"
}
]
},
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
},
"vmResourceGroup": {
"type": "string"
}
},
"variables": {
"locationLongNameToShortMap": {
"australiacentral": "CAU",
"australiaeast": "EAU",
"australiasoutheast": "SEAU",
"brazilsouth": "CQ",
"canadacentral": "CCA",
"centralindia": "CIN",
"centralus": "CUS",
"eastasia": "EA",
"eastus2euap": "eus2p",
"eastus": "EUS",
"eastus2": "EUS2",
"francecentral": "PAR",
"germanywestcentral": "DEWC",
"japaneast": "EJP",
"koreacentral": "SE",
"northcentralus": "NCUS",
"northeurope": "NEU",
"norwayeast": "NOE",
"southcentralus": "SCUS",
"southeastasia": "SEA",
"switzerlandnorth": "CHN",
"switzerlandwest": "CHW",
"southafricanorth": "JNB",
"swedencentral": "SEC",
"uaenorth": "DXB",
"uksouth": "SUK",
"ukwest": "WUK",
"westcentralus": "WCUS",
"westeurope": "WEU",
"westus": "WUS",
"westus2": "WUS2"
},
"selectedLocation": "[if(variables('isContainLocation'),variables('locationLongNameToShortMap')[parameters('location')],parameters('location'))]",
"locationCode": "[if(lessOrEquals(length(variables('selectedLocation')),8),variables('selectedLocation'),concat(substring(variables('selectedLocation'),0,6),substring(variables('selectedLocation'),sub(length(variables('selectedLocation')),2),2)))]",
"subscriptionId": "[subscription().subscriptionId]",
"defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
"defaultRGLocation": "[parameters('location')]",
"workspaceName": "[concat('DefaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
"deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
"deployExtension": "[concat('deployExtension-', uniqueString(deployment().name))]",
"isContainLocation": "[contains(variables('locationLongNameToShortMap'),parameters('location'))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2020-06-01",
"name": "[variables('defaultRGName')]",
"location": "[variables('defaultRGLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[variables('deployDefaultAscResourceGroup')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"defaultRGLocation": {
"value": "[variables('defaultRGLocation')]"
},
"workspaceName": {
"value": "[variables('workspaceName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultRGLocation": {
"type": "string"
},
"workspaceName": {
"type": "string"
}
},
"variables": {
"securityCenterFreeSolution": {
"Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SecurityCenterFree"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"properties": {
"sku": {
"name": "pernode"
},
"retentionInDays": 30,
"features": {
"searchVersion": 1
}
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securityCenterFreeSolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securityCenterFreeSolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
"promotionCode": ""
}
}
]
}
},
"resourceGroup": "[variables('defaultRGName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[variables('deployExtension')]",
"dependsOn": [
"[variables('deployDefaultAscResourceGroup')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"workspaceId": {
"value": "[concat(subscription().id,'/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"location": {
"value": "[parameters('location')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceId": {
"type": "string"
},
"vmName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"variables": {
"vmExtensionName": "OMSAgentForLinux",
"vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
"vmExtensionType": "OmsAgentForLinux"
},
"resources": [
{
"name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
"type": "Microsoft.HybridCompute/machines/extensions",
"location": "[parameters('location')]",
"apiVersion": "2019-12-12",
"properties": {
"publisher": "[variables('vmExtensionPublisher')]",
"type": "[variables('vmExtensionType')]",
"autoUpgradeMinorVersion": true,
"settings": {
"workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]",
"stopOnMultipleConnections": "true"
},
"protectedSettings": {
"workspaceKey": "[listKeys(parameters('workspaceId'), '2015-03-20').primarySharedKey]"
}
}
}
]
}
},
"resourceGroup": "[parameters('vmResourceGroup')]"
}
]
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"vmName": {
"value": "[field('name')]"
},
"vmResourceGroup": {
"value": "[resourceGroup().name]"
}
}
}
}
}
}
}
}{"displayName":"[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities,by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.","metadata":{"category":"Monitoring","version":"1.1.0-deprecated","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"Disabled"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/machines/osName","equals":"linux"}]},"then":{"effect":"[parameters('effect')]","details":{"deploymentScope":"subscription","type":"Microsoft.HybridCompute/machines/extensions","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"allOf":[{"field":"Microsoft.HybridCompute/machines/extensions/type","equals":"OmsAgentForLinux"},{"field":"Microsoft.HybridCompute/machines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.HybridCompute/machines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"location":"eastus","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"vmName":{"type":"string"},"vmResourceGroup":{"type":"string"}},"variables":{"locationLongNameToShortMap":{"australiacentral":"CAU","australiaeast":"EAU","australiasoutheast":"SEAU","brazilsouth":"CQ","canadacentral":"CCA","centralindia":"CIN","centralus":"CUS","eastasia":"EA","eastus2euap":"eus2p","eastus":"EUS","eastus2":"EUS2","francecentral":"PAR","germanywestcentral":"DEWC","japaneast":"EJP","koreacentral":"SE","northcentralus":"NCUS","northeurope":"NEU","norwayeast":"NOE","southcentralus":"SCUS","southeastasia":"SEA","switzerlandnorth":"CHN","switzerlandwest":"CHW","southafricanorth":"JNB","swedencentral":"SEC","uaenorth":"DXB","uksouth":"SUK","ukwest":"WUK","westcentralus":"WCUS","westeurope":"WEU","westus":"WUS","westus2":"WUS2"},"selectedLocation":"[if(variables('isContainLocation'),variables('locationLongNameToShortMap')[parameters('location')],parameters('location'))]","locationCode":"[if(lessOrEquals(length(variables('selectedLocation')),8),variables('selectedLocation'),concat(substring(variables('selectedLocation'),0,6),substring(variables('selectedLocation'),sub(length(variables('selectedLocation')),2),2)))]","subscriptionId":"[subscription().subscriptionId]","defaultRGName":"[concat('DefaultResourceGroup-',variables('locationCode'))]","defaultRGLocation":"[parameters('location')]","workspaceName":"[concat('DefaultWorkspace-',variables('subscriptionId'),'-',variables('locationCode'))]","deployDefaultAscResourceGroup":"[concat('deployDefaultAscResourceGroup-',uniqueString(deployment().name))]","deployExtension":"[concat('deployExtension-',uniqueString(deployment().name))]","isContainLocation":"[contains(variables('locationLongNameToShortMap'),parameters('location'))]"},"resources":[{"type":"Microsoft.Resources/resourceGroups","apiVersion":"2020-06-01","name":"[variables('defaultRGName')]","location":"[variables('defaultRGLocation')]"},{"type":"Microsoft.Resources/deployments","apiVersion":"2020-06-01","name":"[variables('deployDefaultAscResourceGroup')]","dependsOn":["[resourceId('Microsoft.Resources/resourceGroups',variables('defaultRGName'))]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"defaultRGLocation":{"value":"[variables('defaultRGLocation')]"},"workspaceName":{"value":"[variables('workspaceName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"defaultRGLocation":{"type":"string"},"workspaceName":{"type":"string"}},"variables":{"securityCenterFreeSolution":{"Name":"[Concat('SecurityCenterFree','(',parameters('workspaceName'),')')]","GalleryName":"SecurityCenterFree"}},"resources":[{"type":"Microsoft.OperationalInsights/workspaces","name":"[parameters('workspaceName')]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","properties":{"sku":{"name":"pernode"},"retentionInDays":30,"features":{"searchVersion":1}}},{"type":"Microsoft.OperationsManagement/solutions","name":"[variables('securityCenterFreeSolution').Name]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"},"plan":{"name":"[variables('securityCenterFreeSolution').Name]","publisher":"Microsoft","product":"[Concat('OMSGallery/',variables('securityCenterFreeSolution').GalleryName)]","promotionCode":""}}]}},"resourceGroup":"[variables('defaultRGName')]"},{"type":"Microsoft.Resources/deployments","apiVersion":"2020-06-01","name":"[variables('deployExtension')]","dependsOn":["[variables('deployDefaultAscResourceGroup')]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"workspaceId":{"value":"[concat(subscription().id,'/resourceGroups/',variables('defaultRGName'),'/providers/Microsoft.OperationalInsights/workspaces/',variables('workspaceName'))]"},"vmName":{"value":"[parameters('vmName')]"},"location":{"value":"[parameters('location')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"workspaceId":{"type":"string"},"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"OMSAgentForLinux","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"OmsAgentForLinux"},"resources":[{"name":"[concat(parameters('vmName'),'/',variables('vmExtensionName'))]","type":"Microsoft.HybridCompute/machines/extensions","location":"[parameters('location')]","apiVersion":"2019-12-12","properties":{"publisher":"[variables('vmExtensionPublisher')]","type":"[variables('vmExtensionType')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters('workspaceId'),'2015-03-20').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters('workspaceId'),'2015-03-20').primarySharedKey]"}}}]}},"resourceGroup":"[parameters('vmResourceGroup')]"}]},"parameters":{"location":{"value":"[field('location')]"},"vmName":{"value":"[field('name')]"},"vmResourceGroup":{"value":"[resourceGroup().name]"}}}}}}}}Monitoring
[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace
Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.
BuiltIn
False
2025-01-30
1.2.0-deprecated
1.2.0 (1.2.0-deprecated)
1.1.0-preview
1.1.0-preview
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
Deprecated
Indexed
allowed: 'deployIfNotExists', 'disabled'
default: 'disabled'
default: 'disabled'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Uses 17 Fx/Operator(s):
• concat()
• contains()
• deployment()
• field()
• if()
• length()
• lessOrEquals()
• listKeys()
• parameters()
• reference()
• resourceGroup()
• resourceId()
• sub()
• subscription()
• substring()
• uniqueString()
• variables()
• concat()
• contains()
• deployment()
• field()
• if()
• length()
• lessOrEquals()
• listKeys()
• parameters()
• reference()
• resourceGroup()
• resourceId()
• sub()
• subscription()
• substring()
• uniqueString()
• variables()
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.",
"metadata": {
"category": "Monitoring",
"version": "1.2.0-deprecated",
"deprecated": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "Microsoft.HybridCompute/machines/osName",
"equals": "windows"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"deploymentScope": "subscription",
"type": "Microsoft.HybridCompute/machines/extensions",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.HybridCompute/machines/extensions/type",
"equals": "MicrosoftMonitoringAgent"
},
{
"field": "Microsoft.HybridCompute/machines/extensions/publisher",
"equals": "Microsoft.EnterpriseCloud.Monitoring"
},
{
"field": "Microsoft.HybridCompute/machines/extensions/provisioningState",
"equals": "Succeeded"
}
]
},
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
},
"vmResourceGroup": {
"type": "string"
}
},
"variables": {
"locationLongNameToShortMap": {
"australiacentral": "CAU",
"australiaeast": "EAU",
"australiasoutheast": "SEAU",
"brazilsouth": "CQ",
"canadacentral": "CCA",
"centralindia": "CIN",
"centralus": "CUS",
"eastasia": "EA",
"eastus2euap": "eus2p",
"eastus": "EUS",
"eastus2": "EUS2",
"francecentral": "PAR",
"germanywestcentral": "DEWC",
"japaneast": "EJP",
"koreacentral": "SE",
"northcentralus": "NCUS",
"northeurope": "NEU",
"norwayeast": "NOE",
"southcentralus": "SCUS",
"southeastasia": "SEA",
"switzerlandnorth": "CHN",
"switzerlandwest": "CHW",
"southafricanorth": "JNB",
"swedencentral": "SEC",
"uaenorth": "DXB",
"uksouth": "SUK",
"ukwest": "WUK",
"westcentralus": "WCUS",
"westeurope": "WEU",
"westus": "WUS",
"westus2": "WUS2"
},
"selectedLocation": "[if(variables('isContainLocation'),variables('locationLongNameToShortMap')[parameters('location')],parameters('location'))]",
"locationCode": "[if(lessOrEquals(length(variables('selectedLocation')),8),variables('selectedLocation'),concat(substring(variables('selectedLocation'),0,6),substring(variables('selectedLocation'),sub(length(variables('selectedLocation')),2),2)))]",
"subscriptionId": "[subscription().subscriptionId]",
"defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
"defaultRGLocation": "[parameters('location')]",
"workspaceName": "[concat('DefaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
"deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
"deployExtension": "[concat('deployExtension-', uniqueString(deployment().name))]",
"isContainLocation": "[contains(variables('locationLongNameToShortMap'),parameters('location'))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2020-06-01",
"name": "[variables('defaultRGName')]",
"location": "[variables('defaultRGLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[variables('deployDefaultAscResourceGroup')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"defaultRGLocation": {
"value": "[variables('defaultRGLocation')]"
},
"workspaceName": {
"value": "[variables('workspaceName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultRGLocation": {
"type": "string"
},
"workspaceName": {
"type": "string"
}
},
"variables": {
"securityCenterFreeSolution": {
"Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SecurityCenterFree"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"properties": {
"sku": {
"name": "pernode"
},
"retentionInDays": 30,
"features": {
"searchVersion": 1
}
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securityCenterFreeSolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securityCenterFreeSolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
"promotionCode": ""
}
}
]
}
},
"resourceGroup": "[variables('defaultRGName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[variables('deployExtension')]",
"dependsOn": [
"[variables('deployDefaultAscResourceGroup')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"workspaceId": {
"value": "[concat(subscription().id,'/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.OperationalInsights/workspaces/', variables('workspaceName'))]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"location": {
"value": "[parameters('location')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceId": {
"type": "string"
},
"vmName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"variables": {
"vmExtensionName": "MicrosoftMonitoringAgent",
"vmExtensionPublisher": "Microsoft.EnterpriseCloud.Monitoring",
"vmExtensionType": "MicrosoftMonitoringAgent",
"vmExtensionTypeHandlerVersion": "1.0"
},
"resources": [
{
"name": "[concat(parameters('vmName'), '/', variables('vmExtensionName'))]",
"type": "Microsoft.HybridCompute/machines/extensions",
"location": "[parameters('location')]",
"apiVersion": "2019-12-12",
"properties": {
"publisher": "[variables('vmExtensionPublisher')]",
"type": "[variables('vmExtensionType')]",
"typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]",
"autoUpgradeMinorVersion": true,
"settings": {
"workspaceId": "[reference(parameters('workspaceId'), '2015-03-20').customerId]",
"stopOnMultipleConnections": "true"
},
"protectedSettings": {
"workspaceKey": "[listKeys(parameters('workspaceId'), '2015-03-20').primarySharedKey]"
}
}
}
]
}
},
"resourceGroup": "[parameters('vmResourceGroup')]"
}
]
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"vmName": {
"value": "[field('name')]"
},
"vmResourceGroup": {
"value": "[resourceGroup().name]"
}
}
}
}
}
}
}
}{"displayName":"[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace","policyType":"BuiltIn","mode":"Indexed","description":"Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities,by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.","metadata":{"category":"Monitoring","version":"1.2.0-deprecated","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"Disabled"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"Microsoft.HybridCompute/machines/osName","equals":"windows"}]},"then":{"effect":"[parameters('effect')]","details":{"deploymentScope":"subscription","type":"Microsoft.HybridCompute/machines/extensions","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceCondition":{"allOf":[{"field":"Microsoft.HybridCompute/machines/extensions/type","equals":"MicrosoftMonitoringAgent"},{"field":"Microsoft.HybridCompute/machines/extensions/publisher","equals":"Microsoft.EnterpriseCloud.Monitoring"},{"field":"Microsoft.HybridCompute/machines/extensions/provisioningState","equals":"Succeeded"}]},"deployment":{"location":"eastus","properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"vmName":{"type":"string"},"vmResourceGroup":{"type":"string"}},"variables":{"locationLongNameToShortMap":{"australiacentral":"CAU","australiaeast":"EAU","australiasoutheast":"SEAU","brazilsouth":"CQ","canadacentral":"CCA","centralindia":"CIN","centralus":"CUS","eastasia":"EA","eastus2euap":"eus2p","eastus":"EUS","eastus2":"EUS2","francecentral":"PAR","germanywestcentral":"DEWC","japaneast":"EJP","koreacentral":"SE","northcentralus":"NCUS","northeurope":"NEU","norwayeast":"NOE","southcentralus":"SCUS","southeastasia":"SEA","switzerlandnorth":"CHN","switzerlandwest":"CHW","southafricanorth":"JNB","swedencentral":"SEC","uaenorth":"DXB","uksouth":"SUK","ukwest":"WUK","westcentralus":"WCUS","westeurope":"WEU","westus":"WUS","westus2":"WUS2"},"selectedLocation":"[if(variables('isContainLocation'),variables('locationLongNameToShortMap')[parameters('location')],parameters('location'))]","locationCode":"[if(lessOrEquals(length(variables('selectedLocation')),8),variables('selectedLocation'),concat(substring(variables('selectedLocation'),0,6),substring(variables('selectedLocation'),sub(length(variables('selectedLocation')),2),2)))]","subscriptionId":"[subscription().subscriptionId]","defaultRGName":"[concat('DefaultResourceGroup-',variables('locationCode'))]","defaultRGLocation":"[parameters('location')]","workspaceName":"[concat('DefaultWorkspace-',variables('subscriptionId'),'-',variables('locationCode'))]","deployDefaultAscResourceGroup":"[concat('deployDefaultAscResourceGroup-',uniqueString(deployment().name))]","deployExtension":"[concat('deployExtension-',uniqueString(deployment().name))]","isContainLocation":"[contains(variables('locationLongNameToShortMap'),parameters('location'))]"},"resources":[{"type":"Microsoft.Resources/resourceGroups","apiVersion":"2020-06-01","name":"[variables('defaultRGName')]","location":"[variables('defaultRGLocation')]"},{"type":"Microsoft.Resources/deployments","apiVersion":"2020-06-01","name":"[variables('deployDefaultAscResourceGroup')]","dependsOn":["[resourceId('Microsoft.Resources/resourceGroups',variables('defaultRGName'))]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"defaultRGLocation":{"value":"[variables('defaultRGLocation')]"},"workspaceName":{"value":"[variables('workspaceName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"defaultRGLocation":{"type":"string"},"workspaceName":{"type":"string"}},"variables":{"securityCenterFreeSolution":{"Name":"[Concat('SecurityCenterFree','(',parameters('workspaceName'),')')]","GalleryName":"SecurityCenterFree"}},"resources":[{"type":"Microsoft.OperationalInsights/workspaces","name":"[parameters('workspaceName')]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","properties":{"sku":{"name":"pernode"},"retentionInDays":30,"features":{"searchVersion":1}}},{"type":"Microsoft.OperationsManagement/solutions","name":"[variables('securityCenterFreeSolution').Name]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"},"plan":{"name":"[variables('securityCenterFreeSolution').Name]","publisher":"Microsoft","product":"[Concat('OMSGallery/',variables('securityCenterFreeSolution').GalleryName)]","promotionCode":""}}]}},"resourceGroup":"[variables('defaultRGName')]"},{"type":"Microsoft.Resources/deployments","apiVersion":"2020-06-01","name":"[variables('deployExtension')]","dependsOn":["[variables('deployDefaultAscResourceGroup')]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"workspaceId":{"value":"[concat(subscription().id,'/resourceGroups/',variables('defaultRGName'),'/providers/Microsoft.OperationalInsights/workspaces/',variables('workspaceName'))]"},"vmName":{"value":"[parameters('vmName')]"},"location":{"value":"[parameters('location')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"workspaceId":{"type":"string"},"vmName":{"type":"string"},"location":{"type":"string"}},"variables":{"vmExtensionName":"MicrosoftMonitoringAgent","vmExtensionPublisher":"Microsoft.EnterpriseCloud.Monitoring","vmExtensionType":"MicrosoftMonitoringAgent","vmExtensionTypeHandlerVersion":"1.0"},"resources":[{"name":"[concat(parameters('vmName'),'/',variables('vmExtensionName'))]","type":"Microsoft.HybridCompute/machines/extensions","location":"[parameters('location')]","apiVersion":"2019-12-12","properties":{"publisher":"[variables('vmExtensionPublisher')]","type":"[variables('vmExtensionType')]","typeHandlerVersion":"[variables('vmExtensionTypeHandlerVersion')]","autoUpgradeMinorVersion":true,"settings":{"workspaceId":"[reference(parameters('workspaceId'),'2015-03-20').customerId]","stopOnMultipleConnections":"true"},"protectedSettings":{"workspaceKey":"[listKeys(parameters('workspaceId'),'2015-03-20').primarySharedKey]"}}}]}},"resourceGroup":"[parameters('vmResourceGroup')]"}]},"parameters":{"location":{"value":"[field('location')]"},"vmName":{"value":"[field('name')]"},"vmResourceGroup":{"value":"[resourceGroup().name]"}}}}}}}}Security Center
[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.
BuiltIn
False
2023-11-08
1.2.1-deprecated
1.2.1 (1.2.1-deprecated)
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
Deprecated
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Used in 1 Policy Set(s):
• [Deprecated]: Configure machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent (362ab02d-c362-417e-a525-45805d58e21d) [Security Center] BuiltIn
Uses 9 Fx/Operator(s):
• concat()
• deployment()
• field()
• parameters()
• resourceGroup()
• resourceId()
• subscription()
• uniqueString()
• variables()
• concat()
• deployment()
• field()
• parameters()
• resourceGroup()
• resourceId()
• subscription()
• uniqueString()
• variables()
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.",
"metadata": {
"category": "Security Center",
"version": "1.2.1-deprecated",
"deprecated": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "location",
"in": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"germanywestcentral",
"japaneast",
"japanwest",
"jioindiawest",
"koreacentral",
"koreasouth",
"northcentralus",
"northeurope",
"norwayeast",
"southafricanorth",
"southcentralus",
"southeastasia",
"southindia",
"switzerlandnorth",
"uaenorth",
"uksouth",
"ukwest",
"westcentralus",
"westeurope",
"westindia",
"westus",
"westus2"
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/dataCollectionRules",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "location",
"equals": "[field('location')]"
},
{
"field": "name",
"equals": "[concat('Microsoft-Security-', field('location'), '-dcr')]"
}
]
},
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"parameters": {
"resourceGroup": {
"value": "[resourceGroup().name]"
},
"location": {
"value": "[field('location')]"
},
"vmName": {
"value": "[field('name')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceGroup": {
"type": "string"
},
"location": {
"type": "string"
},
"vmName": {
"type": "string"
}
},
"variables": {
"locationLongNameToShortMap": {
"australiacentral": "CAU",
"australiaeast": "EAU",
"australiasoutheast": "SEAU",
"brazilsouth": "CQ",
"canadacentral": "CCA",
"canadaeast": "CCA",
"centralindia": "CIN",
"centralus": "CUS",
"eastasia": "EA",
"eastus2euap": "eus2p",
"eastus": "EUS",
"eastus2": "EUS2",
"francecentral": "PAR",
"germanywestcentral": "DEWC",
"japaneast": "EJP",
"japanwest": "EJP",
"jioindiawest": "CIN",
"koreacentral": "SE",
"koreasouth": "SE",
"northcentralus": "NCUS",
"northeurope": "NEU",
"norwayeast": "NOE",
"southafricanorth": "JNB",
"southcentralus": "SCUS",
"southeastasia": "SEA",
"southindia": "CIN",
"swedencentral": "SEC",
"switzerlandnorth": "CHN",
"switzerlandwest": "CHW",
"uaenorth": "DXB",
"uksouth": "SUK",
"ukwest": "WUK",
"westcentralus": "WCUS",
"westeurope": "WEU",
"westindia": "CIN",
"westus": "WUS",
"westus2": "WUS2"
},
"locationCode": "[variables('locationLongNameToShortMap')[parameters('location')]]",
"subscriptionId": "[subscription().subscriptionId]",
"defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
"defaultRGLocation": "[parameters('location')]",
"workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
"dcrName": "[concat('Microsoft-Security-', parameters('location'), '-dcr')]",
"dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
"dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
"deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
"deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"name": "[variables('defaultRGName')]",
"apiVersion": "2019-05-01",
"location": "[variables('defaultRGLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDefaultAscResourceGroup')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[variables('defaultRGName')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"defaultRGLocation": {
"value": "[variables('defaultRGLocation')]"
},
"workspaceName": {
"value": "[variables('workspaceName')]"
},
"dcrName": {
"value": "[variables('dcrName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultRGLocation": {
"type": "string"
},
"workspaceName": {
"type": "string"
},
"dcrName": {
"type": "string"
}
},
"variables": {
"securityCenterFreeSolution": {
"Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SecurityCenterFree"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"apiVersion": "2021-06-01",
"location": "[parameters('defaultRGLocation')]",
"properties": {
"sku": {
"name": "pernode"
},
"retentionInDays": 30,
"features": {
"searchVersion": 1
}
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securityCenterFreeSolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securityCenterFreeSolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
"promotionCode": ""
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"name": "[parameters('dcrName')]",
"apiVersion": "2021-04-01",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"description": "Data collection rule for Microsoft Defender for Cloud. Deleting this rule will break the detection of security vulnerabilities.",
"dataSources": {
"extensions": [
{
"extensionName": "AzureSecurityLinuxAgent",
"name": "AscLinuxDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "time",
"frequency": "PT8H"
},
{
"name": "antimalware",
"frequency": "PT8H"
},
{
"name": "codeintegrity",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D"
},
{
"name": "docker",
"frequency": "P1D"
}
]
}
},
{
"extensionName": "AzureSecurityWindowsAgent",
"name": "AsaWindowsDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D"
},
{
"name": "antimalware",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
}
]
}
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
"name": "LogAnalyticsDest"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"destinations": [
"LogAnalyticsDest"
]
}
]
}
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDataCollectionRulesAssociation')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('resourceGroup')]",
"dependsOn": [
"[variables('deployDefaultAscResourceGroup')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"dcrId": {
"value": "[variables('dcrId')]"
},
"dcraName": {
"value": "[variables('dcraName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
},
"dcrId": {
"type": "string"
},
"dcraName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations",
"name": "[parameters('dcraName')]",
"apiVersion": "2021-04-01",
"properties": {
"description": "Association of data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
"dataCollectionRuleId": "[parameters('dcrId')]"
}
}
]
}
}
}
]
}
}
}
}
}
}
}{"displayName":"[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent","policyType":"BuiltIn","mode":"Indexed","description":"This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy,Azure Monitor agent is no longer required to receive Defender for Servers security features,but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.","metadata":{"category":"Security Center","version":"1.2.1-deprecated","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.HybridCompute/machines"},{"field":"location","in":["australiacentral","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus2euap","eastus","eastus2","francecentral","germanywestcentral","japaneast","japanwest","jioindiawest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","southafricanorth","southcentralus","southeastasia","southindia","switzerlandnorth","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/dataCollectionRules","deploymentScope":"subscription","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"location","equals":"[field('location')]"},{"field":"name","equals":"[concat('Microsoft-Security-',field('location'),'-dcr')]"}]},"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"resourceGroup":{"value":"[resourceGroup().name]"},"location":{"value":"[field('location')]"},"vmName":{"value":"[field('name')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceGroup":{"type":"string"},"location":{"type":"string"},"vmName":{"type":"string"}},"variables":{"locationLongNameToShortMap":{"australiacentral":"CAU","australiaeast":"EAU","australiasoutheast":"SEAU","brazilsouth":"CQ","canadacentral":"CCA","canadaeast":"CCA","centralindia":"CIN","centralus":"CUS","eastasia":"EA","eastus2euap":"eus2p","eastus":"EUS","eastus2":"EUS2","francecentral":"PAR","germanywestcentral":"DEWC","japaneast":"EJP","japanwest":"EJP","jioindiawest":"CIN","koreacentral":"SE","koreasouth":"SE","northcentralus":"NCUS","northeurope":"NEU","norwayeast":"NOE","southafricanorth":"JNB","southcentralus":"SCUS","southeastasia":"SEA","southindia":"CIN","swedencentral":"SEC","switzerlandnorth":"CHN","switzerlandwest":"CHW","uaenorth":"DXB","uksouth":"SUK","ukwest":"WUK","westcentralus":"WCUS","westeurope":"WEU","westindia":"CIN","westus":"WUS","westus2":"WUS2"},"locationCode":"[variables('locationLongNameToShortMap')[parameters('location')]]","subscriptionId":"[subscription().subscriptionId]","defaultRGName":"[concat('DefaultResourceGroup-',variables('locationCode'))]","defaultRGLocation":"[parameters('location')]","workspaceName":"[concat('defaultWorkspace-',variables('subscriptionId'),'-',variables('locationCode'))]","dcrName":"[concat('Microsoft-Security-',parameters('location'),'-dcr')]","dcrId":"[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',variables('defaultRGName'),'/providers/Microsoft.Insights/dataCollectionRules/',variables('dcrName'))]","dcraName":"[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]","deployDefaultAscResourceGroup":"[concat('deployDefaultAscResourceGroup-',uniqueString(deployment().name))]","deployDataCollectionRulesAssociation":"[concat('deployDataCollectionRulesAssociation-',uniqueString(deployment().name))]"},"resources":[{"type":"Microsoft.Resources/resourceGroups","name":"[variables('defaultRGName')]","apiVersion":"2019-05-01","location":"[variables('defaultRGLocation')]"},{"type":"Microsoft.Resources/deployments","name":"[variables('deployDefaultAscResourceGroup')]","apiVersion":"2020-06-01","resourceGroup":"[variables('defaultRGName')]","properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"defaultRGLocation":{"value":"[variables('defaultRGLocation')]"},"workspaceName":{"value":"[variables('workspaceName')]"},"dcrName":{"value":"[variables('dcrName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"defaultRGLocation":{"type":"string"},"workspaceName":{"type":"string"},"dcrName":{"type":"string"}},"variables":{"securityCenterFreeSolution":{"Name":"[Concat('SecurityCenterFree','(',parameters('workspaceName'),')')]","GalleryName":"SecurityCenterFree"}},"resources":[{"type":"Microsoft.OperationalInsights/workspaces","name":"[parameters('workspaceName')]","apiVersion":"2021-06-01","location":"[parameters('defaultRGLocation')]","properties":{"sku":{"name":"pernode"},"retentionInDays":30,"features":{"searchVersion":1}}},{"type":"Microsoft.OperationsManagement/solutions","name":"[variables('securityCenterFreeSolution').Name]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"},"plan":{"name":"[variables('securityCenterFreeSolution').Name]","publisher":"Microsoft","product":"[Concat('OMSGallery/',variables('securityCenterFreeSolution').GalleryName)]","promotionCode":""}},{"type":"Microsoft.Insights/dataCollectionRules","name":"[parameters('dcrName')]","apiVersion":"2021-04-01","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"description":"Data collection rule for Microsoft Defender for Cloud. Deleting this rule will break the detection of security vulnerabilities.","dataSources":{"extensions":[{"extensionName":"AzureSecurityLinuxAgent","name":"AscLinuxDataSource","streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"extensionSettings":{"scanners":[{"name":"heartbeat","frequency":"PT1H"},{"name":"time","frequency":"PT8H"},{"name":"antimalware","frequency":"PT8H"},{"name":"codeintegrity","frequency":"P1D"},{"name":"processinvestigator","frequency":"PT1H"},{"name":"baseline","frequency":"P1D"},{"name":"docker","frequency":"P1D"}]}},{"extensionName":"AzureSecurityWindowsAgent","name":"AsaWindowsDataSource","streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"extensionSettings":{"scanners":[{"name":"heartbeat","frequency":"PT1H"},{"name":"baseline","frequency":"P1D"},{"name":"antimalware","frequency":"P1D"},{"name":"processinvestigator","frequency":"PT1H"}]}}]},"destinations":{"logAnalytics":[{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]","name":"LogAnalyticsDest"}]},"dataFlows":[{"streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"destinations":["LogAnalyticsDest"]}]}}]}},"dependsOn":["[resourceId('Microsoft.Resources/resourceGroups',variables('defaultRGName'))]"]},{"type":"Microsoft.Resources/deployments","name":"[variables('deployDataCollectionRulesAssociation')]","apiVersion":"2020-06-01","resourceGroup":"[parameters('resourceGroup')]","dependsOn":["[variables('deployDefaultAscResourceGroup')]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"location":{"value":"[parameters('location')]"},"vmName":{"value":"[parameters('vmName')]"},"dcrId":{"value":"[variables('dcrId')]"},"dcraName":{"value":"[variables('dcraName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"vmName":{"type":"string"},"dcrId":{"type":"string"},"dcraName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations","name":"[parameters('dcraName')]","apiVersion":"2021-04-01","properties":{"description":"Association of data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine.","dataCollectionRuleId":"[parameters('dcrId')]"}}]}}}]}}}}}}}Security Center
[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.
BuiltIn
False
2023-11-08
5.2.1-deprecated
5.2.1 (5.2.1-deprecated)
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
Deprecated
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Used in 2 Policy Set(s):
• [Deprecated]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines (a15f3269-2e10-458c-87a4-d5989e678a73) [Monitoring] BuiltIn
• [Deprecated]: Configure machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent (362ab02d-c362-417e-a525-45805d58e21d) [Security Center] BuiltIn
Uses 9 Fx/Operator(s):
• concat()
• deployment()
• field()
• parameters()
• resourceGroup()
• resourceId()
• subscription()
• uniqueString()
• variables()
• concat()
• deployment()
• field()
• parameters()
• resourceGroup()
• resourceId()
• subscription()
• uniqueString()
• variables()
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.",
"metadata": {
"category": "Security Center",
"version": "5.2.1-deprecated",
"deprecated": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "location",
"in": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"eastasia",
"eastus2euap",
"eastus",
"eastus2",
"francecentral",
"germanywestcentral",
"japaneast",
"japanwest",
"jioindiawest",
"koreacentral",
"koreasouth",
"northcentralus",
"northeurope",
"norwayeast",
"southafricanorth",
"southcentralus",
"southeastasia",
"southindia",
"switzerlandnorth",
"uaenorth",
"uksouth",
"ukwest",
"westcentralus",
"westeurope",
"westindia",
"westus",
"westus2"
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/dataCollectionRules",
"deploymentScope": "subscription",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "location",
"equals": "[field('location')]"
},
{
"field": "name",
"equals": "[concat('Microsoft-Security-', field('location'), '-dcr')]"
}
]
},
"deployment": {
"location": "eastus",
"properties": {
"mode": "incremental",
"parameters": {
"resourceGroup": {
"value": "[resourceGroup().name]"
},
"location": {
"value": "[field('location')]"
},
"vmName": {
"value": "[field('name')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceGroup": {
"type": "string"
},
"location": {
"type": "string"
},
"vmName": {
"type": "string"
}
},
"variables": {
"locationLongNameToShortMap": {
"australiacentral": "CAU",
"australiaeast": "EAU",
"australiasoutheast": "SEAU",
"brazilsouth": "CQ",
"canadacentral": "CCA",
"canadaeast": "CCA",
"centralindia": "CIN",
"centralus": "CUS",
"eastasia": "EA",
"eastus2euap": "eus2p",
"eastus": "EUS",
"eastus2": "EUS2",
"francecentral": "PAR",
"germanywestcentral": "DEWC",
"japaneast": "EJP",
"japanwest": "EJP",
"jioindiawest": "CIN",
"koreacentral": "SE",
"koreasouth": "SE",
"northcentralus": "NCUS",
"northeurope": "NEU",
"norwayeast": "NOE",
"southafricanorth": "JNB",
"southcentralus": "SCUS",
"southeastasia": "SEA",
"southindia": "CIN",
"swedencentral": "SEC",
"switzerlandnorth": "CHN",
"switzerlandwest": "CHW",
"uaenorth": "DXB",
"uksouth": "SUK",
"ukwest": "WUK",
"westcentralus": "WCUS",
"westeurope": "WEU",
"westindia": "CIN",
"westus": "WUS",
"westus2": "WUS2"
},
"locationCode": "[variables('locationLongNameToShortMap')[parameters('location')]]",
"subscriptionId": "[subscription().subscriptionId]",
"defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]",
"defaultRGLocation": "[parameters('location')]",
"workspaceName": "[concat('defaultWorkspace-', variables('subscriptionId'),'-', variables('locationCode'))]",
"dcrName": "[concat('Microsoft-Security-', parameters('location'), '-dcr')]",
"dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]",
"dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]",
"deployDefaultAscResourceGroup": "[concat('deployDefaultAscResourceGroup-', uniqueString(deployment().name))]",
"deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"name": "[variables('defaultRGName')]",
"apiVersion": "2019-05-01",
"location": "[variables('defaultRGLocation')]"
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDefaultAscResourceGroup')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[variables('defaultRGName')]",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"defaultRGLocation": {
"value": "[variables('defaultRGLocation')]"
},
"workspaceName": {
"value": "[variables('workspaceName')]"
},
"dcrName": {
"value": "[variables('dcrName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"defaultRGLocation": {
"type": "string"
},
"workspaceName": {
"type": "string"
},
"dcrName": {
"type": "string"
}
},
"variables": {
"securityCenterFreeSolution": {
"Name": "[Concat('SecurityCenterFree', '(', parameters('workspaceName'), ')')]",
"GalleryName": "SecurityCenterFree"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"name": "[parameters('workspaceName')]",
"apiVersion": "2021-06-01",
"location": "[parameters('defaultRGLocation')]",
"properties": {
"sku": {
"name": "pernode"
},
"retentionInDays": 30,
"features": {
"searchVersion": 1
}
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[variables('securityCenterFreeSolution').Name]",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
},
"plan": {
"name": "[variables('securityCenterFreeSolution').Name]",
"publisher": "Microsoft",
"product": "[Concat('OMSGallery/', variables('securityCenterFreeSolution').GalleryName)]",
"promotionCode": ""
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"name": "[parameters('dcrName')]",
"apiVersion": "2021-04-01",
"location": "[parameters('defaultRGLocation')]",
"dependsOn": [
"[parameters('workspaceName')]"
],
"properties": {
"description": "Data collection rule for Microsoft Defender for Cloud. Deleting this rule will break the detection of security vulnerabilities.",
"dataSources": {
"extensions": [
{
"extensionName": "AzureSecurityLinuxAgent",
"name": "AscLinuxDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "time",
"frequency": "PT8H"
},
{
"name": "antimalware",
"frequency": "PT8H"
},
{
"name": "codeintegrity",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D"
},
{
"name": "docker",
"frequency": "P1D"
}
]
}
},
{
"extensionName": "AzureSecurityWindowsAgent",
"name": "AsaWindowsDataSource",
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"extensionSettings": {
"scanners": [
{
"name": "heartbeat",
"frequency": "PT1H"
},
{
"name": "baseline",
"frequency": "P1D"
},
{
"name": "antimalware",
"frequency": "P1D"
},
{
"name": "processinvestigator",
"frequency": "PT1H"
}
]
}
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
"name": "LogAnalyticsDest"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-OperationLog",
"Microsoft-ProtectionStatus"
],
"destinations": [
"LogAnalyticsDest"
]
}
]
}
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', variables('defaultRGName'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"name": "[variables('deployDataCollectionRulesAssociation')]",
"apiVersion": "2020-06-01",
"resourceGroup": "[parameters('resourceGroup')]",
"dependsOn": [
"[variables('deployDefaultAscResourceGroup')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"dcrId": {
"value": "[variables('dcrId')]"
},
"dcraName": {
"value": "[variables('dcraName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"vmName": {
"type": "string"
},
"dcrId": {
"type": "string"
},
"dcraName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
"name": "[parameters('dcraName')]",
"apiVersion": "2021-04-01",
"properties": {
"description": "Association of data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine.",
"dataCollectionRuleId": "[parameters('dcrId')]"
}
}
]
}
}
}
]
}
}
}
}
}
}
}{"displayName":"[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent","policyType":"BuiltIn","mode":"Indexed","description":"This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy,Azure Monitor agent is no longer required to receive Defender for Servers security features,but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.","metadata":{"category":"Security Center","version":"5.2.1-deprecated","deprecated":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"location","in":["australiacentral","australiaeast","australiasoutheast","brazilsouth","canadacentral","canadaeast","centralindia","centralus","eastasia","eastus2euap","eastus","eastus2","francecentral","germanywestcentral","japaneast","japanwest","jioindiawest","koreacentral","koreasouth","northcentralus","northeurope","norwayeast","southafricanorth","southcentralus","southeastasia","southindia","switzerlandnorth","uaenorth","uksouth","ukwest","westcentralus","westeurope","westindia","westus","westus2"]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/dataCollectionRules","deploymentScope":"subscription","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"existenceScope":"subscription","existenceCondition":{"allOf":[{"field":"location","equals":"[field('location')]"},{"field":"name","equals":"[concat('Microsoft-Security-',field('location'),'-dcr')]"}]},"deployment":{"location":"eastus","properties":{"mode":"incremental","parameters":{"resourceGroup":{"value":"[resourceGroup().name]"},"location":{"value":"[field('location')]"},"vmName":{"value":"[field('name')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceGroup":{"type":"string"},"location":{"type":"string"},"vmName":{"type":"string"}},"variables":{"locationLongNameToShortMap":{"australiacentral":"CAU","australiaeast":"EAU","australiasoutheast":"SEAU","brazilsouth":"CQ","canadacentral":"CCA","canadaeast":"CCA","centralindia":"CIN","centralus":"CUS","eastasia":"EA","eastus2euap":"eus2p","eastus":"EUS","eastus2":"EUS2","francecentral":"PAR","germanywestcentral":"DEWC","japaneast":"EJP","japanwest":"EJP","jioindiawest":"CIN","koreacentral":"SE","koreasouth":"SE","northcentralus":"NCUS","northeurope":"NEU","norwayeast":"NOE","southafricanorth":"JNB","southcentralus":"SCUS","southeastasia":"SEA","southindia":"CIN","swedencentral":"SEC","switzerlandnorth":"CHN","switzerlandwest":"CHW","uaenorth":"DXB","uksouth":"SUK","ukwest":"WUK","westcentralus":"WCUS","westeurope":"WEU","westindia":"CIN","westus":"WUS","westus2":"WUS2"},"locationCode":"[variables('locationLongNameToShortMap')[parameters('location')]]","subscriptionId":"[subscription().subscriptionId]","defaultRGName":"[concat('DefaultResourceGroup-',variables('locationCode'))]","defaultRGLocation":"[parameters('location')]","workspaceName":"[concat('defaultWorkspace-',variables('subscriptionId'),'-',variables('locationCode'))]","dcrName":"[concat('Microsoft-Security-',parameters('location'),'-dcr')]","dcrId":"[concat('/subscriptions/',variables('subscriptionId'),'/resourceGroups/',variables('defaultRGName'),'/providers/Microsoft.Insights/dataCollectionRules/',variables('dcrName'))]","dcraName":"[concat(parameters('vmName'),'/Microsoft.Insights/Security-RulesAssociation')]","deployDefaultAscResourceGroup":"[concat('deployDefaultAscResourceGroup-',uniqueString(deployment().name))]","deployDataCollectionRulesAssociation":"[concat('deployDataCollectionRulesAssociation-',uniqueString(deployment().name))]"},"resources":[{"type":"Microsoft.Resources/resourceGroups","name":"[variables('defaultRGName')]","apiVersion":"2019-05-01","location":"[variables('defaultRGLocation')]"},{"type":"Microsoft.Resources/deployments","name":"[variables('deployDefaultAscResourceGroup')]","apiVersion":"2020-06-01","resourceGroup":"[variables('defaultRGName')]","properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"defaultRGLocation":{"value":"[variables('defaultRGLocation')]"},"workspaceName":{"value":"[variables('workspaceName')]"},"dcrName":{"value":"[variables('dcrName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"defaultRGLocation":{"type":"string"},"workspaceName":{"type":"string"},"dcrName":{"type":"string"}},"variables":{"securityCenterFreeSolution":{"Name":"[Concat('SecurityCenterFree','(',parameters('workspaceName'),')')]","GalleryName":"SecurityCenterFree"}},"resources":[{"type":"Microsoft.OperationalInsights/workspaces","name":"[parameters('workspaceName')]","apiVersion":"2021-06-01","location":"[parameters('defaultRGLocation')]","properties":{"sku":{"name":"pernode"},"retentionInDays":30,"features":{"searchVersion":1}}},{"type":"Microsoft.OperationsManagement/solutions","name":"[variables('securityCenterFreeSolution').Name]","apiVersion":"2015-11-01-preview","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]"},"plan":{"name":"[variables('securityCenterFreeSolution').Name]","publisher":"Microsoft","product":"[Concat('OMSGallery/',variables('securityCenterFreeSolution').GalleryName)]","promotionCode":""}},{"type":"Microsoft.Insights/dataCollectionRules","name":"[parameters('dcrName')]","apiVersion":"2021-04-01","location":"[parameters('defaultRGLocation')]","dependsOn":["[parameters('workspaceName')]"],"properties":{"description":"Data collection rule for Microsoft Defender for Cloud. Deleting this rule will break the detection of security vulnerabilities.","dataSources":{"extensions":[{"extensionName":"AzureSecurityLinuxAgent","name":"AscLinuxDataSource","streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"extensionSettings":{"scanners":[{"name":"heartbeat","frequency":"PT1H"},{"name":"time","frequency":"PT8H"},{"name":"antimalware","frequency":"PT8H"},{"name":"codeintegrity","frequency":"P1D"},{"name":"processinvestigator","frequency":"PT1H"},{"name":"baseline","frequency":"P1D"},{"name":"docker","frequency":"P1D"}]}},{"extensionName":"AzureSecurityWindowsAgent","name":"AsaWindowsDataSource","streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"extensionSettings":{"scanners":[{"name":"heartbeat","frequency":"PT1H"},{"name":"baseline","frequency":"P1D"},{"name":"antimalware","frequency":"P1D"},{"name":"processinvestigator","frequency":"PT1H"}]}}]},"destinations":{"logAnalytics":[{"workspaceResourceId":"[resourceId('Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]","name":"LogAnalyticsDest"}]},"dataFlows":[{"streams":["Microsoft-OperationLog","Microsoft-ProtectionStatus"],"destinations":["LogAnalyticsDest"]}]}}]}},"dependsOn":["[resourceId('Microsoft.Resources/resourceGroups',variables('defaultRGName'))]"]},{"type":"Microsoft.Resources/deployments","name":"[variables('deployDataCollectionRulesAssociation')]","apiVersion":"2020-06-01","resourceGroup":"[parameters('resourceGroup')]","dependsOn":["[variables('deployDefaultAscResourceGroup')]"],"properties":{"mode":"Incremental","expressionEvaluationOptions":{"scope":"inner"},"parameters":{"location":{"value":"[parameters('location')]"},"vmName":{"value":"[parameters('vmName')]"},"dcrId":{"value":"[variables('dcrId')]"},"dcraName":{"value":"[variables('dcraName')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"string"},"vmName":{"type":"string"},"dcrId":{"type":"string"},"dcraName":{"type":"string"}},"variables":{},"resources":[{"type":"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations","name":"[parameters('dcraName')]","apiVersion":"2021-04-01","properties":{"description":"Association of data collection rule for Microsoft Defender for Cloud. Deleting this association will break the detection of security vulnerabilities for this virtual machine.","dataCollectionRuleId":"[parameters('dcrId')]"}}]}}}]}}}}}}}
Security Center
Deploy Security Center Standard to Workspaces
This Policy will Deploy the OMS Solution that enables Security Center Standard on a workspace if the solution does not exist.
Community
False
1.0.0
n/a
AzureCloud:true
AzureChinaCloud:n/a
AzureUSGovernment:n/a
AzureChinaCloud:n/a
AzureUSGovernment:n/a
GA
All
allowed: 'AuditIfNotExists', 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Owner (8e3af657-a8ff-443c-a75c-2fe8c4bcb635)
• Owner (8e3af657-a8ff-443c-a75c-2fe8c4bcb635)
Uses 4 Fx/Operator(s):
• concat()
• field()
• parameters()
• resourceGroup()
• concat()
• field()
• parameters()
• resourceGroup()
if (1)
• 'Microsoft.OperationalInsights/workspaces'
thenDeployment (1)
• 'microsoft.operationsmanagement/solutions'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Deploy Security Center Standard to Workspaces",
"description": "This Policy will Deploy the OMS Solution that enables Security Center Standard on a workspace if the solution does not exist.",
"metadata": {
"version": "1.0.0",
"category": "Security Center"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.OperationalInsights/workspaces"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.OperationsManagement/solutions",
"name": "[concat('Security(', field('name'),')')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureMonitorWorkspaceName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"name": "[concat('Security', '(', parameters('azureMonitorWorkspaceName'), ')')]",
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"location": "[parameters('location')]",
"plan": {
"name": "[concat('Security', '(', parameters('azureMonitorWorkspaceName'), ')')]",
"publisher": "Microsoft",
"promotionCode": "",
"product": "OMSGallery/Security"
},
"properties": {
"workspaceResourceId": "[concat(resourceGroup().id,'/providers/microsoft.operationalinsights/workspaces/', parameters('azureMonitorWorkspaceName'))]"
}
}
]
},
"parameters": {
"azureMonitorWorkspaceName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}{"displayName":"Deploy Security Center Standard to Workspaces","description":"This Policy will Deploy the OMS Solution that enables Security Center Standard on a workspace if the solution does not exist.","metadata":{"version":"1.0.0","category":"Security Center"},"mode":"All","parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"DeployIfNotExists,AuditIfNotExists or Disabled the execution of the Policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.OperationalInsights/workspaces"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.OperationsManagement/solutions","name":"[concat('Security(',field('name'),')')]","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"azureMonitorWorkspaceName":{"type":"string"},"location":{"type":"string"}},"resources":[{"name":"[concat('Security','(',parameters('azureMonitorWorkspaceName'),')')]","type":"Microsoft.OperationsManagement/solutions","apiVersion":"2015-11-01-preview","location":"[parameters('location')]","plan":{"name":"[concat('Security','(',parameters('azureMonitorWorkspaceName'),')')]","publisher":"Microsoft","promotionCode":"","product":"OMSGallery/Security"},"properties":{"workspaceResourceId":"[concat(resourceGroup().id,'/providers/microsoft.operationalinsights/workspaces/',parameters('azureMonitorWorkspaceName'))]"}}]},"parameters":{"azureMonitorWorkspaceName":{"value":"[field('name')]"},"location":{"value":"[field('location')]"}}}}}}}}
1
to
5
of
5
Page
1
of
1