Azure Resource Manager (ARM) template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for Azure resources. There are several ways to find the template for the resources. I usually go to the following places:
- Microsoft Docs Azure Template References
- Azure QuickStart template in GitHub
- Azure REST API reference
- Azure Portal deployed a resource template
To find the ARM template for a configured resource in Azure, I can check it in the Export template in the resource on the portal. For example, below is the ARM template for a Network Watcher resource group. I then copy the code and tweak the parameters to a new ARM template for the automation of a new subscription.
However, there is no Export template option in the Security Center. So I need to find it in another way. Fortunately, I found them under the Security in the Microsoft Docs Azure Template References. Microsoft uses different names for the configurations. For example, the Azure Defender setting is on the Pricings so I decided to document it here for reference. These settings are in the Security Center -> Management -> Pricing & settings. The ARM template will need to be deployed to the subscription level.
Azure Defender plans
The ARM template will enable the Azure Defender on the resources.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 | { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "virtualMachineTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type" } }, "appServiceTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Azure App Service resource type" } }, "paasSQLServiceTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for PaaS SQL Service resource type" } }, "sqlServerOnVmTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for SQL Server on VM resource type" } }, "storageAccountTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Storage Account resource type" } }, "kubernetesServiceTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Kubernetes service resource type" } }, "containerRegistryTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Container Registry resource type" } }, "keyvaultTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Key Vault resource type" } }, "ArmTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for Resource Manager resource type" } }, "DnsTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specify whether you want to enable Standard tier for DNS resource type" } } }, "functions": [], "variables": {}, "resources": [ { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "VirtualMachines", "properties": { "pricingTier": "[parameters('virtualMachineTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "AppServices", "dependsOn": [ "[concat('Microsoft.Security/pricings/VirtualMachines')]" ], "properties": { "pricingTier": "[parameters('appServiceTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "SqlServers", "dependsOn": [ "[concat('Microsoft.Security/pricings/AppServices')]" ], "properties": { "pricingTier": "[parameters('paasSQLServiceTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "SqlServerVirtualMachines", "dependsOn": [ "[concat('Microsoft.Security/pricings/SqlServers')]" ], "properties": { "pricingTier": "[parameters('sqlServerOnVmTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "StorageAccounts", "dependsOn": [ "[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]" ], "properties": { "pricingTier": "[parameters('storageAccountTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "KubernetesService", "dependsOn": [ "[concat('Microsoft.Security/pricings/StorageAccounts')]" ], "properties": { "pricingTier": "[parameters('kubernetesServiceTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "ContainerRegistry", "dependsOn": [ "[concat('Microsoft.Security/pricings/KubernetesService')]" ], "properties": { "pricingTier": "[parameters('containerRegistryTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "KeyVaults", "dependsOn": [ "[concat('Microsoft.Security/pricings/ContainerRegistry')]" ], "properties": { "pricingTier": "[parameters('keyvaultTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "Arm", "properties": { "pricingTier": "[parameters('ArmTier')]" } }, { "type": "Microsoft.Security/pricings", "apiVersion": "2018-06-01", "name": "Dns", "properties": { "pricingTier": "[parameters('DnsTier')]" } } ], "outputs": {}} |
Auto provisioning
The ARM template will enable the Log Analytics agent for Azure VMs.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "autoProvision": { "type": "string", "defaultValue":"On", "allowedValues": [ "On", "Off" ] } }, "functions": [], "variables": {}, "resources": [ { "name": "default", "type": "Microsoft.Security/autoProvisioningSettings", "apiVersion": "2017-08-01-preview", "properties": { "autoProvision": "[parameters('autoProvision')]" } } ], "outputs": {}} |
Email notifications
The ARM template configures the Email recipients and the Notifications types. Change the default value of the additionalEmailAddress and the minialSeverity to yours.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "additionalEmailAddresses": { "type": "string", "defaultValue":"youremail@yourdomain.com" }, "minimalSeverity": { "type": "string", "defaultValue":"Medium" }, "notificationRole": { "type": "string", "defaultValue": "Owner" } }, "functions": [], "variables": {}, "resources": [ { "name": "default", "type": "Microsoft.Security/securityContacts", "apiVersion": "2020-01-01-preview", "properties": { "emails": "[parameters('additionalEmailAddresses')]", "alertNotifications": { "state": "On", "minimalSeverity": "[parameters('minimalSeverity')]" }, "notificationsByRole": { "state": "On", "roles": [ "[parameters('notificationRole')]" ] } } } ], "outputs": {}} |
Continuous export to the Event hub
This one is a bit complex. You will need to provide the Event hub namespace, Event Hub name, and Event hub policy name in the parameters.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | { "contentVersion": "1.0.0.0", "parameters": { "namespaces_Security_EHN_name": { "defaultValue": "your Event hub namespace", "type": "String" }, "eventhub_security_name": { "defaultValue": "your Event Hub Name", "type": "string" }, "authorizationRulesName": { "type": "string", "defaultValue": "your Event hub policy name" }, "eventHubDetails": { "type": "String", "defaultValue": "[resourceId('Microsoft.EventHub/namespaces/eventhubs/authorizationRules', parameters('namespaces_Security_EHN_name'), parameters('eventhub_security_name'),parameters('authorizationRulesName'))]", "metadata": { "displayName": "Event Hub details", "description": "The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim.", "strongType": "Microsoft.EventHub/namespaces/eventhubs/authorizationrules", "assignPermissions": true } } }, "functions": [], "variables": { }, "resources": [ { "tags": {}, "apiVersion": "2019-01-01-preview", "location": "centralus", "name": "exportToEventHub", "type": "Microsoft.Security/automations", "dependsOn": [], "properties": { "description": "Export Azure Security Center data to Event Hub", "isEnabled": true, "scopes": [ { "description": "scope for subscription", "scopePath": "[subscription().id]" } ], "sources": [ { "eventSource": "Alerts", "ruleSets": [ { "rules": [ { "propertyJPath": "Severity", "propertyType": "String", "expectedValue": "medium", "operator": "Equals" } ] }, { "rules": [ { "propertyJPath": "Severity", "propertyType": "String", "expectedValue": "high", "operator": "Equals" } ] } ] } ], "actions": [ { "sasPolicyName": "[parameters('authorizationRulesName')]", "actionType": "EventHub", "eventHubResourceId": "[concat(subscription().Id,'/resourcegroups/',resourceGroup().name,'/providers/microsoft.eventhub/namespaces/',parameters('namespaces_Security_EHN_name'),'/eventhubs/',parameters('eventhub_security_name'))]", "connectionString": "[listkeys(parameters('eventHubDetails'),'2017-04-01').primaryConnectionString]" } ] } } ], "outputs": {}} |
Continous export to the Log Analytics workspace
The easy way is to find the workspace resource ID and put it in the “workspaceResouceId”. For example, I created a test Log Analytics workspace for tracking the Secure Score. You can find the Resouce ID by clicking the JSON view in the Overview of the Log Analytics workspace in the Azure portal.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | { "contentVersion": "1.0.0.0", "parameters": {}, "functions": [], "variables": {}, "resources": [ { "name": "ExportToWorkspace", "apiVersion": "2019-01-01-preview", "type": "Microsoft.Security/automations", "location": "centralus", "properties": { "description": "", "isEnabled": true, "scopes": [ { "description": "scope for subscription", "scopePath": "[subscription().id]" } ], "sources": [ { "eventSource": "Assessments", "ruleSets": [ { "rules": [ { "propertyJPath": "type", "propertyType": "String", "expectedValue": "Microsoft.Security/assessments", "operator": "Contains" } ] } ] }, { "eventSource": "SubAssessments" }, { "eventSource": "SecureScores" }, { "eventSource": "SecureScoresSnapshot" }, { "eventSource": "SecureScoreControls" }, { "eventSource": "SecureScoreControlsSnapshot" } ], "actions": [ { "workspaceResourceId": "/subscriptions/0287117d-2ebc-4227-bc08-55a204302bb4/resourcegroups/my_sc_workbooks/providers/microsoft.operationalinsights/workspaces/my-sc-secure-score-log", "actionType": "Workspace" } ] } } ], "outputs": {}} |