From 9f44e1dddb198a44b6c243e51a9ed194ad6dc52a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 4 Mar 2024 14:59:37 +0400 Subject: [PATCH] Portal Accelerator Update: Defender for Cloud ARM template and AzFW AZs (#1576) Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- docs/wiki/Whats-new.md | 1 + eslzArm/eslz-portal.json | 12 +- eslzArm/eslzArm.json | 85 ++- .../mdfcConfiguration.json | 682 ++++++++++++++++++ 4 files changed, 777 insertions(+), 3 deletions(-) create mode 100644 eslzArm/subscriptionTemplates/mdfcConfiguration.json diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 1b04afd066..670213e945 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -50,6 +50,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Tooling - Add new Regulatory Compliance Policy Assignment flexibility feature +- Added ARM template to enable Microsoft Defender for Cloud as part of the deployment. Policies will still remediate additional subscriptions added to ALZ after deployment. ### February 2024 diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ee7b27e2c2..7e9b71feda 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -2281,11 +2281,21 @@ ] } }, + { + "name": "esFWAZNote", + "type": "Microsoft.Common.InfoBox", + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').enableAzFw,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation)), false)]", + "options": { + "text": "ALZ enables Availability Zones for all services that it deploys by default for maximum resiliency in regions where Availability Zones are supported, including for Azure Firewall. Review the selected Availability Zones meet your architectural requirements and that you understand the added costs for inbound and outbound data transfers associated with Avaialability Zones, before proceeding. Click on this box to learn more about the Availability Zones and Azure Firewall.", + "uri": "https://learn.microsoft.com/en-us/azure/firewall/features#built-in-high-availability", + "style": "Info" + } + }, { "name": "firewallZones", "type": "Microsoft.Common.DropDown", "label": "Select Availability Zones for the Azure Firewall", - "defaultValue": "None", + "defaultValue": [{"value": "1"}, {"value": "2"}, {"value": "3"}], "multiselect": true, "selectAll": true, "filter": true, diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 4ee0107bfe..f20023e766 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1088,7 +1088,8 @@ "ChangeTrackingVmArcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json')]", "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]", "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]", - "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]" + "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]", + "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", @@ -1187,7 +1188,8 @@ "ChangeTrackingVmArcDeploymentName": "[take(concat('alz-ChangeTracking-VMArc', variables('deploymentSuffix')), 64)]", "ChangeTrackingVmssDeploymentName": "[take(concat('alz-ChangeTracking-VMSS', variables('deploymentSuffix')), 64)]", "MDFCDefenderSqlAmaDeploymentName": "[take(concat('alz-MDFCDefenderSqlAma', variables('deploymentSuffix')), 64)]", - "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]" + "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]", + "MDFCSubscriptionEnableDeploymentName": "[take(concat('alz-MDFCSubEnable', variables('deploymentSuffix')), 62)]" }, "esLiteDeploymentNames": { "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]", @@ -2319,6 +2321,85 @@ } } }, + { + // Assigning Microsoft Defender for Cloud configurations to subscriptions if condition is true (not policy) + "condition": "[and(equals(parameters('enableAsc'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').MDFCSubscriptionEnableDeploymentName, copyIndex())]", + "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "onlineLzs", + "corpLzs", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "MDFCSubscriptionEnable", + "count": "[length(variables('subscriptionIds'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').MDFCSubscriptionEnablement]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "resourceGroupLocation": { + "value": "[deployment().location]" + }, + "resourceGroupName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-asc-export')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForApis": { + "value": "[parameters('enableAscForApis')]" + }, + "enableAscForCspm": { + "value": "[parameters('enableAscForCspm')]" + }, + "enableAscForOssDb": { + "value": "[parameters('enableAscForOssDb')]" + }, + "enableAscForCosmosDbs": { + "value": "[parameters('enableAscForCosmosDbs')]" + } + } + } + }, { // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", diff --git a/eslzArm/subscriptionTemplates/mdfcConfiguration.json b/eslzArm/subscriptionTemplates/mdfcConfiguration.json new file mode 100644 index 0000000000..73254ec073 --- /dev/null +++ b/eslzArm/subscriptionTemplates/mdfcConfiguration.json @@ -0,0 +1,682 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "resourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource group location", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.", + "strongType": "location" + } + }, + "resourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The name of the resource group hosting the Log Analytics workspace.", + } + }, + "logAnalyticsResourceId": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "The Log Analytics workspace of where the data should be exported to.", + "strongType": "Microsoft.OperationalInsights/workspaces", + "assignPermissions": true + } + }, + "emailContactAsc": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "exportedDataTypes": { + "type": "Array", + "metadata": { + "displayName": "Exported data types", + "description": "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming." + }, + "allowedValues": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ], + "defaultValue": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ] + }, + "recommendationNames": { + "type": "Array", + "metadata": { + "displayName": "Recommendation IDs", + "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments." + }, + "defaultValue": [] + }, + "recommendationSeverities": { + "type": "Array", + "metadata": { + "displayName": "Recommendation severities", + "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "isSecurityFindingsEnabled": { + "type": "bool", + "metadata": { + "displayName": "Include security findings", + "description": "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "secureScoreControlsNames": { + "type": "Array", + "metadata": { + "displayName": "Secure Score Controls IDs", + "description": "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols." + }, + "defaultValue": [] + }, + "alertSeverities": { + "type": "Array", + "metadata": { + "displayName": "Alert severities", + "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "regulatoryComplianceStandardsNames": { + "type": "Array", + "metadata": { + "displayName": "Regulatory compliance standards names", + "description": "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards." + }, + "defaultValue": [] + }, + "guidValue": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "scopeDescription": "scope for subscription {0}", + "subAssessmentRuleExpectedValue": "/assessments/{0}/", + "recommendationNamesLength": "[length(parameters('recommendationNames'))]", + "secureScoreControlsNamesLength": "[length(parameters('secureScoreControlsNames'))]", + "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]", + "regulatoryComplianceStandardsNamesLength": "[length(parameters('regulatoryComplianceStandardsNames'))]", + "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]", + "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]", + "alertSeveritiesLength": "[length(parameters('alertSeverities'))]", + "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]", + "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]", + "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]", + "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]", + "totalRuleCombinationsForOneRecommendationSeverity": 1, + "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]", + "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]", + "dataTypeMap": { + "Security recommendations": "Assessments", + "Security alerts": "Alerts", + "Overall secure score": "SecureScores", + "Secure score controls": "SecureScoreControls", + "Regulatory compliance": "RegulatoryComplianceAssessment", + "Overall secure score - snapshot": "SecureScoresSnapshot", + "Secure score controls - snapshot": "SecureScoreControlsSnapshot", + "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot", + "Security recommendations - snapshot": "AssessmentsSnapshot", + "Security findings - snapshot": "SubAssessmentsSnapshot" + }, + "alertSeverityMap": { + "High": "high", + "Medium": "medium", + "Low": "low" + }, + "ruleSetsForAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForAssessmentsArr", + "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]", + "input": { + "rules": [ + { + "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]", + "operator": "Contains" + }, + { + "propertyJPath": "properties.metadata.severity", + "propertyType": "string", + "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSubAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForSubAssessmentsArr", + "count": "[variables('recommendationNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', parameters('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForAlertsObj": { + "copy": [ + { + "name": "ruleSetsForAlertsArr", + "count": "[variables('alertSeveritiesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "Severity", + "propertyType": "string", + "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSecureScoreControlsObj": { + "copy": [ + { + "name": "ruleSetsForSecureScoreControlsArr", + "count": "[variables('secureScoreControlsLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "name", + "propertyType": "string", + "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), parameters('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForRegulatoryComplianceObj": { + "copy": [ + { + "name": "ruleSetsForRegulatoryCompliancArr", + "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), parameters('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]", + "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]", + "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]", + "subAssessmentSource": [ + { + "eventSource": "SubAssessments", + "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]" + } + ], + "ruleSetsMap": { + "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]", + "Overall secure score": null, + "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Overall secure score - snapshot": null, + "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Security recommendations - snapshot": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security findings - snapshot": "[variables('ruleSetsForSubAssessmentsObj')]" + }, + "sourcesWithoutSubAssessments": { + "copy": [ + { + "name": "sources", + "count": "[variables('exportedDataTypesLengthIfEmpty')]", + "input": { + "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]", + "ruleSets": "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]" + } + } + ] + }, + "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]", + "sources": "[if(equals(parameters('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]" + }, + "resources": [ + { + "condition": "[equals(parameters('enableAscForStorage'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } + }, + { + "condition": "[equals(parameters('enableAscForServers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "VirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'StorageAccounts')]" + ], + "properties": { + "pricingTier": "Standard", + "subPlan": "P2", + "resourcesCoverageStatus": "FullyCovered" + } + }, + { + "condition": "[equals(parameters('enableAscForSql'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "SqlServers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'VirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForAppServices'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "AppServices", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "SqlServerVirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'AppServices')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForContainers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Containers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServerVirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForKeyVault'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "KeyVaults", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Containers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForArm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Arm", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'KeyVaults')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForOssDb'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "OpenSourceRelationalDatabases", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Arm')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCosmosDbs'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "CosmosDbs", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'OpenSourceRelationalDatabases')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCspm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "CloudPosture", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CosmosDbs')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForApis'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Api", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CloudPosture')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "description": "Defender for Cloud security contacts", + "emails": "[parameters('emailContactAsc')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "Medium" + } + } + }, + { + "name": "[parameters('resourceGroupName')]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('resourceGroupLocation')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "tags": {}, + "apiVersion": "2019-01-01-preview", + "location": "[parameters('resourceGroupLocation')]", + "name": "ExportToWorkspace", + "type": "Microsoft.Security/automations", + "dependsOn": [], + "properties": { + "description": "Export Microsoft Defender for Cloud data to Log Analytics workspace via policy", + "isEnabled": true, + "scopes": [ + { + "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]", + "scopePath": "[subscription().id]" + } + ], + "sources": "[variables('sources')]", + "actions": [ + { + "actionType": "Workspace", + "workspaceResourceId": "[parameters('logAnalyticsResourceId')]" + } + ] + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file