JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Preview]: Configure Azure Defender for SQL agent on virtual machine" , policyType: "BuiltIn" , mode: "Indexed" , description: "Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location." , metadata: { 3 items category: "Security Center" , version: "1.0.0-preview" , preview: true } , parameters: { 3 items enableCollectionOfSqlQueriesForSecurityResearch: { 4 items type: "Boolean" , metadata: { 2 items displayName: "Enable collection of SQL queries for security research" , description: "Enable or disable the collection of SQL queries for security research." } , allowedValues: [ 2 items ] , defaultValue: true } , azureDefenderForSqlExtensionTypeToInstall: { 3 items type: "String" , metadata: { 2 items displayName: "Azure Defender For SQL extension type to install" , description: "The type of the Azure Defender For SQL extension needed to be installed." } , allowedValues: [ 2 items "AdvancedThreatProtection.Windows" , "VulnerabilityAssessment.Windows" ] } , effect: { 4 items type: "String" , metadata: { 2 items displayName: "Effect" , description: "Enable or disable the execution of the policy" } , allowedValues: [ 2 items "DeployIfNotExists" , "Disabled" ] , defaultValue: "DeployIfNotExists" } } , policyRule: { 2 items if: { 1 item allOf: [ 4 items { 2 items field: "type" , equals: "Microsoft.Compute/virtualMachines/extensions" } , { 2 items field: "location" , in: [ 31 items "australiacentral" , "australiaeast" , "australiasoutheast" , "brazilsouth" , "canadacentral" , "centralindia" , "centralus" , "eastasia" , "eastus2euap" , "eastus" , "eastus2" , "francecentral" , "germanywestcentral" , "japaneast" , "koreacentral" , "northcentralus" , "northeurope" , "norwayeast" , "southcentralus" , "southeastasia" , "switzerlandnorth" , "switzerlandwest" , "southafricanorth" , "swedencentral" , "uaenorth" , "uksouth" , "ukwest" , "westcentralus" , "westeurope" , "westus" , "westus2" ] } , { 2 items field: "Microsoft.Compute/virtualMachines/extensions/type" , equals: "AzureMonitorWindowsAgent" } , { 2 items field: "Microsoft.Compute/virtualMachines/extensions/publisher" , equals: "Microsoft.Azure.Monitor" } ] } , then: { 2 items effect: "[parameters('effect')]" , details: { 6 items type: "Microsoft.Compute/virtualMachines/extensions" , name: 🔍 "[
concat(
first(
split(
field('fullName'),
'/'
)
),
'/Microsoft.Azure.AzureDefenderForSQL.',
parameters('azureDefenderForSqlExtensionTypeToInstall')
)
]", deploymentScope: "subscription" , existenceCondition: { 1 item allOf: [ 3 items { 2 items field: "Microsoft.Compute/virtualMachines/extensions/type" , equals: "[parameters('azureDefenderForSqlExtensionTypeToInstall')]" } , { 2 items field: "Microsoft.Compute/virtualMachines/extensions/publisher" , equals: "Microsoft.Azure.AzureDefenderForSQL" } , { 2 items field: "Microsoft.Compute/virtualMachines/extensions/provisioningState" , in: [ 2 items "Succeeded" , "Provisioning succeeded" ] } ] } , roleDefinitionIds: [ 1 item "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor ] , deployment: { 2 items location: "eastus" , properties: { 3 items mode: "incremental" , parameters: { 5 items } , template: { 5 items $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters: { 5 items } , variables: { 11 items locationLongNameToShortMap: { 31 items australiacentral: "CAU" , australiaeast: "EAU" , australiasoutheast: "SEAU" , brazilsouth: "CQ" , canadacentral: "CCA" , centralindia: "CIN" , centralus: "CUS" , eastasia: "EA" , eastus2euap: "eus2p" , eastus: "EUS" , eastus2: "EUS2" , francecentral: "PAR" , germanywestcentral: "DEWC" , japaneast: "EJP" , koreacentral: "SE" , northcentralus: "NCUS" , northeurope: "NEU" , norwayeast: "NOE" , southcentralus: "SCUS" , southeastasia: "SEA" , switzerlandnorth: "CHN" , switzerlandwest: "CHW" , southafricanorth: "JNB" , swedencentral: "SEC" , uaenorth: "DXB" , uksouth: "SUK" , ukwest: "WUK" , westcentralus: "WCUS" , westeurope: "WEU" , westus: "WUS" , westus2: "WUS2" } , locationCode: "[variables('locationLongNameToShortMap')[parameters('location')]]" , subscriptionId: "[subscription().subscriptionId]" , defaultRGName: 🔍 "[
concat(
'DefaultResourceGroup-',
variables(
'locationCode'
)
)
]", defaultRGLocation: "[parameters('location')]" , workspaceName: 🔍 "[
concat(
'defaultWorkspace-',
variables(
'subscriptionId'
),
'-',
variables(
'locationCode'
)
)
]", dcrName: "Microsoft-AzureDefenderForSQL" , dcrId: 🔍 "[
concat(
'/subscriptions/',
variables(
'subscriptionId'
),
'/resourceGroups/',
variables(
'defaultRGName'
),
'/providers/Microsoft.Insights/dataCollectionRules/',
variables(
'dcrName'
)
)
]", dcraName: 🔍 "[
concat(
parameters('vmName'),
'/Microsoft.Insights/AzureDefenderForSQL-RulesAssociation'
)
]", deployAzureDefenderForSqlExtensions: 🔍 "[
concat(
'deployAzureDefenderForSqlExtensions-',
uniqueString(
deployment().name
)
)
]", deployDefaultAscResourceGroup: 🔍 "[
concat(
'deployDefaultAscResourceGroup-',
uniqueString(
deployment().name
)
)
]" } , resources: [ 3 items { 4 items type: "Microsoft.Resources/resourceGroups" , name: "[variables('defaultRGName')]" , apiVersion: "2020-10-01" , location: "[variables('defaultRGLocation')]" } , { 6 items type: "Microsoft.Resources/deployments" , name: "[variables('deployDefaultAscResourceGroup')]" , apiVersion: "2020-06-01" , resourceGroup: "[variables('defaultRGName')]" , dependsOn: [ 1 item 🔍 "[
resourceId(
'Microsoft.Resources/resourceGroups',
variables(
'defaultRGName'
)
)
]"] , properties: { 4 items mode: "Incremental" , expressionEvaluationOptions: { 1 item } , parameters: { 4 items } , template: { 5 items $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters: { 4 items } , variables : {} , resources: [ 2 items { 5 items type: "Microsoft.OperationalInsights/workspaces" , name: "[parameters('workspaceName')]" , apiVersion: "2015-11-01-preview" , location: "[parameters('defaultRGLocation')]" , properties: { 3 items } } , { 6 items type: "Microsoft.Insights/dataCollectionRules" , name: "[parameters('dcrName')]" , apiVersion: "2019-11-01-preview" , location: "[parameters('defaultRGLocation')]" , dependsOn: [ 1 item "[parameters('workspaceName')]" ] , properties: { 4 items description: "Data collection rule for Azure Defender for SQL. Deleting this rule will break the detection of Azure Defender for SQL." , dataSources: { 1 item extensions: [ 2 items { 4 items streams: [ 4 items "Microsoft-DefenderForSqlAlerts" , "Microsoft-DefenderForSqlLogins" , "Microsoft-DefenderForSqlTelemetry" , "Microsoft-SqlAtpStatus-DefenderForSql" ] , extensionName: "AdvancedThreatProtection" , extensionSettings: { 1 item enableCollectionOfSqlQueriesForSecurityResearch: "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } , name: "AdvancedThreatProtection" } , { 3 items streams: [ 3 items "Microsoft-DefenderForSqlScanEvents" , "Microsoft-DefenderForSqlScanResults" , "Microsoft-DefenderForSqlTelemetry" ] , extensionName: "VulnerabilityAssessment" , name: "VulnerabilityAssessment" } ] } , destinations: { 1 item logAnalytics: [ 1 item { 2 items workspaceResourceId: 🔍 "[
resourceId(
'Microsoft.OperationalInsights/workspaces/',
parameters('workspaceName')
)
]", name: "LogAnalyticsDest" } ] } , dataFlows: [ 1 item ] } } ] } } } , { 6 items type: "Microsoft.Resources/deployments" , name: "[variables('deployAzureDefenderForSqlExtensions')]" , apiVersion: "2020-06-01" , resourceGroup: "[parameters('resourceGroup')]" , dependsOn: [ 1 item "[variables('deployDefaultAscResourceGroup')]" ] , properties: { 4 items mode: "Incremental" , expressionEvaluationOptions: { 1 item } , parameters: { 5 items } , template: { 5 items $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters: { 5 items } , variables : {} , resources: [ 2 items { 4 items type: "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations" , name: "[parameters('dcraName')]" , apiVersion: "2019-11-01-preview" , properties: { 2 items description: "Association of data collection rule for Azure Defender for SQL. Deleting this association will break the detection of Azure Defender for SQL for this virtual machine." , dataCollectionRuleId: "[parameters('dcrId')]" } } , { 5 items type: "Microsoft.Compute/virtualMachines/extensions" , name: 🔍 "[
concat(
parameters('vmName'),
'/',
'Microsoft.Azure.AzureDefenderForSQL.',
parameters('azureDefenderForSqlExtensionTypeToInstall')
)
]", apiVersion: "2020-12-01" , location: "[parameters('location')]" , properties: { 4 items publisher: "Microsoft.Azure.AzureDefenderForSQL" , type: "[parameters('azureDefenderForSqlExtensionTypeToInstall')]" , typeHandlerVersion: "1.0" , autoUpgradeMinorVersion: true } } ] } } } ] } } } } } } }
