JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "Deploy export to Event Hub for Microsoft Defender for Cloud data" , policyType: "BuiltIn" , mode: "All" , description: "Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task." , metadata: { 2 items version: "4.2.0" , category: "Security Center" } , parameters: { 11 items resourceGroupName: { 2 items type: "String" , metadata: { 2 items displayName: "Resource group name" , description: "The resource group name where the export to Event Hub configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Event Hub configured." } } , resourceGroupLocation: { 2 items type: "String" , metadata: { 3 items displayName: "Resource group location" , description: "The location where the resource group and the export to Event Hub configuration are created." , strongType: "location" } } , createResourceGroup: { 4 items type: "Boolean" , metadata: { 2 items displayName: "Create resource group" , description: "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group." } , allowedValues: [ 2 items ] , defaultValue: true } , exportedDataTypes: { 4 items type: "Array" , metadata: { 2 items displayName: "Exported data types" , description: "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming." } , allowedValues: [ 10 items "Security recommendations" , "Security alerts" , "Overall secure score" , "Secure score controls" , "Regulatory compliance" , "Overall secure score - snapshot" , "Secure score controls - snapshot" , "Regulatory compliance - snapshot" , "Security recommendations - snapshot" , "Security findings - snapshot" ] , defaultValue: [ 10 items "Security recommendations" , "Security alerts" , "Overall secure score" , "Secure score controls" , "Regulatory compliance" , "Overall secure score - snapshot" , "Secure score controls - snapshot" , "Regulatory compliance - snapshot" , "Security recommendations - snapshot" , "Security findings - snapshot" ] } , recommendationNames: { 3 items type: "Array" , metadata: { 2 items displayName: "Recommendation IDs" , description: "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments." } , defaultValue : [] } , recommendationSeverities: { 4 items } , isSecurityFindingsEnabled: { 4 items type: "Boolean" , metadata: { 2 items displayName: "Include security findings" , description: "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation." } , allowedValues: [ 2 items ] , defaultValue: true } , secureScoreControlsNames: { 3 items type: "Array" , metadata: { 2 items displayName: "Secure Score Controls IDs" , description: "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols." } , defaultValue : [] } , alertSeverities: { 4 items } , regulatoryComplianceStandardsNames: { 3 items type: "Array" , metadata: { 2 items displayName: "Regulatory compliance standards names" , description: "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards." } , defaultValue : [] } , eventHubDetails: { 2 items type: "String" , metadata: { 4 items displayName: "Event Hub details" , description: "The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim." , strongType: "Microsoft.EventHub/namespaces/eventhubs/authorizationrules" , assignPermissions: true } } } , policyRule: { 2 items if: { 2 items field: "type" , equals: "Microsoft.Resources/subscriptions" } , then: { 2 items effect: "deployIfNotExists" , details: { 8 items type: "Microsoft.Security/automations" , name: "exportToEventHub" , existenceScope: "resourcegroup" , ResourceGroupName: "[parameters('resourceGroupName')]" , deploymentScope: "subscription" , roleDefinitionIds: [ 1 item "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor ] , existenceCondition: { 1 item allOf: [ 3 items { 2 items field: "Microsoft.Security/automations/isEnabled" , equals: true } , { 2 items count: { 1 item field: "Microsoft.Security/automations/sources[*]" } , equals: 🔍 "[
if(
parameters('isSecurityFindingsEnabled'),
add(
length(
parameters('exportedDataTypes')
),
1
),
length(
parameters('exportedDataTypes')
)
)
]" } , { 2 items count: { 3 items value: "[parameters('exportedDataTypes')]" , name: "dataType" , where: { 2 items count: { 2 items field: "Microsoft.Security/automations/sources[*]" , where: { 1 item anyOf: [ 10 items { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "Assessments" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Security recommendations" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "Alerts" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Security alerts" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "SecureScores" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Overall secure score" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "SecureScoreControls" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Secure score controls" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "RegulatoryComplianceAssessment" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Regulatory compliance" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "SecureScoresSnapshot" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Overall secure score - snapshot" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "SecureScoreControlsSnapshot" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Secure score controls - snapshot" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "RegulatoryComplianceAssessmentSnapshot" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Regulatory compliance - snapshot" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "AssessmentsSnapshot" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Security recommendations - snapshot" } ] } , { 1 item allOf: [ 2 items { 2 items field: "Microsoft.Security/automations/sources[*].eventSource" , equals: "SubAssessmentsSnapshot" } , { 2 items value: 🔍 "[
current(
'dataType'
)
]", equals: "Security findings - snapshot" } ] } ] } } , equals: 1 } } , equals: 🔍 "[
length(
parameters('exportedDataTypes')
)
]" } ] } , deployment: { 2 items location: "westeurope" , properties: { 3 items mode: "incremental" , template: { 5 items $schema: "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters: { 12 items resourceGroupName: { 1 item } , resourceGroupLocation: { 1 item } , createResourceGroup: { 1 item } , exportedDataTypes: { 1 item } , isSecurityFindingsEnabled: { 1 item } , recommendationNames: { 1 item } , secureScoreControlsNames: { 1 item } , regulatoryComplianceStandardsNames: { 1 item } , recommendationSeverities: { 1 item } , alertSeverities: { 1 item } , eventHubDetails: { 1 item } , guidValue: { 2 items type: "string" , defaultValue: "[newGuid()]" } } , variables: { 32 items scopeDescription: "scope for subscription {0}" , subAssessmentRuleExpectedValue: "/assessments/{0}/" , recommendationNamesLength: 🔍 "[
length(
parameters('recommendationNames')
)
]", secureScoreControlsNamesLength: 🔍 "[
length(
parameters('secureScoreControlsNames')
)
]", secureScoreControlsLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'secureScoreControlsNamesLength'
),
0
),
1,
variables(
'secureScoreControlsNamesLength'
)
)
]", regulatoryComplianceStandardsNamesLength: 🔍 "[
length(
parameters('regulatoryComplianceStandardsNames')
)
]", regulatoryComplianceStandardsNamesLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'regulatoryComplianceStandardsNamesLength'
),
0
),
1,
variables(
'regulatoryComplianceStandardsNamesLength'
)
)
]", recommendationSeveritiesLength: 🔍 "[
length(
parameters('recommendationSeverities')
)
]", alertSeveritiesLength: 🔍 "[
length(
parameters('alertSeverities')
)
]", recommendationNamesLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'recommendationNamesLength'
),
0
),
1,
variables(
'recommendationNamesLength'
)
)
]", recommendationSeveritiesLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'recommendationSeveritiesLength'
),
0
),
1,
variables(
'recommendationSeveritiesLength'
)
)
]", alertSeveritiesLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'alertSeveritiesLength'
),
0
),
1,
variables(
'alertSeveritiesLength'
)
)
]", totalRuleCombinationsForOneRecommendationName: "[variables('recommendationSeveritiesLengthIfEmpty')]" , totalRuleCombinationsForOneRecommendationSeverity: 1 , exportedDataTypesLength: 🔍 "[
length(
parameters('exportedDataTypes')
)
]", exportedDataTypesLengthIfEmpty: 🔍 "[
if(
equals(
variables(
'exportedDataTypesLength'
),
0
),
1,
variables(
'exportedDataTypesLength'
)
)
]", SeperatedEventHubDetails: 🔍 "[
split(
parameters('eventHubDetails'),
'/'
)
]", dataTypeMap: { 10 items Security recommendations: "Assessments" , Security alerts: "Alerts" , Overall secure score: "SecureScores" , Secure score controls: "SecureScoreControls" , Regulatory compliance: "RegulatoryComplianceAssessment" , Overall secure score - snapshot: "SecureScoresSnapshot" , Secure score controls - snapshot: "SecureScoreControlsSnapshot" , Regulatory compliance - snapshot: "RegulatoryComplianceAssessmentSnapshot" , Security recommendations - snapshot: "AssessmentsSnapshot" , Security findings - snapshot: "SubAssessmentsSnapshot" } , alertSeverityMap: { 3 items High: "high" , Medium: "medium" , Low: "low" } , ruleSetsForAssessmentsObj: { 1 item copy: [ 1 item { 3 items name: "ruleSetsForAssessmentsArr" , count: 🔍 "[
mul(
variables(
'recommendationNamesLengthIfEmpty'
),
variables(
'recommendationSeveritiesLengthIfEmpty'
)
)
]", input: { 1 item rules: [ 2 items { 4 items propertyJPath: 🔍 "[
if(
equals(
variables(
'recommendationNamesLength'
),
0
),
'type',
'name'
)
]", propertyType: "string" , expectedValue: 🔍 "[
if(
equals(
variables(
'recommendationNamesLength'
),
0
),
'Microsoft.Security/assessments',
parameters('recommendationNames')[
mod(
div(
copyIndex(
'ruleSetsForAssessmentsArr'
),
variables(
'totalRuleCombinationsForOneRecommendationName'
)
),
variables(
'recommendationNamesLength'
)
)
]
)
]", operator: "Contains" } , { 4 items propertyJPath: "properties.metadata.severity" , propertyType: "string" , expectedValue: "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]" , operator: "Equals" } ] } } ] } , customRuleSetsForSubAssessmentsObj: { 1 item copy: [ 1 item { 3 items name: "ruleSetsForSubAssessmentsArr" , count: "[variables('recommendationNamesLengthIfEmpty')]" , input: { 1 item rules: [ 1 item { 4 items propertyJPath: "id" , propertyType: "string" , expectedValue: 🔍 "[
if(
equals(
variables(
'recommendationNamesLength'
),
0
),
json(
'null'
),
replace(
variables(
'subAssessmentRuleExpectedValue'
),
'{
0
}',
parameters('recommendationNames')[
copyIndex(
'ruleSetsForSubAssessmentsArr'
)
]
)
)
]", operator: "Contains" } ] } } ] } , ruleSetsForAlertsObj: { 1 item copy: [ 1 item { 3 items name: "ruleSetsForAlertsArr" , count: "[variables('alertSeveritiesLengthIfEmpty')]" , input: { 1 item rules: [ 1 item { 4 items propertyJPath: "Severity" , propertyType: "string" , expectedValue: "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]" , operator: "Equals" } ] } } ] } , customRuleSetsForSecureScoreControlsObj: { 1 item copy: [ 1 item { 3 items name: "ruleSetsForSecureScoreControlsArr" , count: "[variables('secureScoreControlsLengthIfEmpty')]" , input: { 1 item rules: [ 1 item { 4 items propertyJPath: "name" , propertyType: "string" , expectedValue: 🔍 "[
if(
equals(
variables(
'secureScoreControlsNamesLength'
),
0
),
json(
'null'
),
parameters('secureScoreControlsNames')[
copyIndex(
'ruleSetsForSecureScoreControlsArr'
)
]
)
]", operator: "Equals" } ] } } ] } , customRuleSetsForRegulatoryComplianceObj: { 1 item copy: [ 1 item { 3 items name: "ruleSetsForRegulatoryCompliancArr" , count: "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]" , input: { 1 item rules: [ 1 item { 4 items propertyJPath: "id" , propertyType: "string" , expectedValue: 🔍 "[
if(
equals(
variables(
'regulatoryComplianceStandardsNamesLength'
),
0
),
json(
'null'
),
parameters('regulatoryComplianceStandardsNames')[
copyIndex(
'ruleSetsForRegulatoryCompliancArr'
)
]
)
]", operator: "Contains" } ] } } ] } , ruleSetsForSecureScoreControlsObj: 🔍 "[
if(
equals(
variables(
'secureScoreControlsNamesLength'
),
0
),
json(
'null'
),
variables(
'customRuleSetsForSecureScoreControlsObj'
).ruleSetsForSecureScoreControlsArr
)
]", ruleSetsForSecureRegulatoryComplianceObj: 🔍 "[
if(
equals(
variables(
'regulatoryComplianceStandardsNamesLength'
),
0
),
json(
'null'
),
variables(
'customRuleSetsForRegulatoryComplianceObj'
).ruleSetsForRegulatoryCompliancArr
)
]", ruleSetsForSubAssessmentsObj: 🔍 "[
if(
equals(
variables(
'recommendationNamesLength'
),
0
),
json(
'null'
),
variables(
'customRuleSetsForSubAssessmentsObj'
).ruleSetsForSubAssessmentsArr
)
]", subAssessmentSource: [ 1 item { 2 items eventSource: "SubAssessments" , ruleSets: "[variables('ruleSetsForSubAssessmentsObj')]" } ] , ruleSetsMap: { 10 items Security recommendations: "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]" , Security alerts: "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]" , Overall secure score: null , Secure score controls: "[variables('ruleSetsForSecureScoreControlsObj')]" , Regulatory compliance: "[variables('ruleSetsForSecureRegulatoryComplianceObj')]" , Overall secure score - snapshot: null , Secure score controls - snapshot: "[variables('ruleSetsForSecureScoreControlsObj')]" , Regulatory compliance - snapshot: "[variables('ruleSetsForSecureRegulatoryComplianceObj')]" , Security recommendations - snapshot: "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]" , Security findings - snapshot: "[variables('ruleSetsForSubAssessmentsObj')]" } , sourcesWithoutSubAssessments: { 1 item copy: [ 1 item { 3 items name: "sources" , count: "[variables('exportedDataTypesLengthIfEmpty')]" , input: { 2 items eventSource: "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]" , ruleSets: "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]" } } ] } , sourcesWithSubAssessments: 🔍 "[
concat(
variables(
'subAssessmentSource'
),
variables(
'sourcesWithoutSubAssessments'
).sources
)
]", sources: 🔍 "[
if(
equals(
parameters('isSecurityFindingsEnabled'),
bool(
'true'
)
),
variables(
'sourcesWithSubAssessments'
),
variables(
'sourcesWithoutSubAssessments'
).sources
)
]" } , resources: [ 2 items { 5 items condition: "[parameters('createResourceGroup')]" , name: "[parameters('resourceGroupName')]" , type: "Microsoft.Resources/resourceGroups" , apiVersion: "2019-10-01" , location: "[parameters('resourceGroupLocation')]" } , { 6 items type: "Microsoft.Resources/deployments" , apiVersion: "2019-10-01" , name: 🔍 "[
concat(
'nestedAutomationDeployment',
'_',
parameters('guidValue')
)
]", resourceGroup: "[parameters('resourceGroupName')]" , dependsOn: [ 1 item 🔍 "[
resourceId(
'Microsoft.Resources/resourceGroups/',
parameters('resourceGroupName')
)
]"] , properties: { 2 items mode: "Incremental" , template: { 5 items $schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters : {} , variables : {} , resources: [ 1 item { 7 items tags : {} , apiVersion: "2019-01-01-preview" , location: "[parameters('resourceGroupLocation')]" , name: "exportToEventHub" , type: "Microsoft.Security/automations" , dependsOn : [] , properties: { 5 items description: "Export Microsoft Defender for Cloud data to Event Hub via policy" , isEnabled: true , scopes: [ 1 item { 2 items description: 🔍 "[
replace(
variables(
'scopeDescription'
),
'{
0
}',
subscription().subscriptionId
)
]", scopePath: "[subscription().id]" } ] , sources: "[variables('sources')]" , actions: [ 1 item { 3 items actionType: "EventHub" , eventHubResourceId: 🔍 "[
concat(
'/',
variables(
'SeperatedEventHubDetails'
)[
1
],
'/',
variables(
'SeperatedEventHubDetails'
)[
2
],
'/',
variables(
'SeperatedEventHubDetails'
)[
3
],
'/',
variables(
'SeperatedEventHubDetails'
)[
4
],
'/',
variables(
'SeperatedEventHubDetails'
)[
5
],
'/',
variables(
'SeperatedEventHubDetails'
)[
6
],
'/',
variables(
'SeperatedEventHubDetails'
)[
7
],
'/',
variables(
'SeperatedEventHubDetails'
)[
8
],
'/',
variables(
'SeperatedEventHubDetails'
)[
9
],
'/',
variables(
'SeperatedEventHubDetails'
)[
10
]
)
]", connectionString: 🔍 "[
listkeys(
parameters('eventHubDetails'),
'2017-04-01'
).primaryConnectionString
]" } ] } } ] } } } ] } , parameters: { 11 items resourceGroupName: { 1 item value: "[parameters('resourceGroupName')]" } , resourceGroupLocation: { 1 item value: "[parameters('resourceGroupLocation')]" } , createResourceGroup: { 1 item value: "[parameters('createResourceGroup')]" } , exportedDataTypes: { 1 item value: "[parameters('exportedDataTypes')]" } , recommendationNames: { 1 item value: "[parameters('recommendationNames')]" } , isSecurityFindingsEnabled: { 1 item value: "[parameters('isSecurityFindingsEnabled')]" } , secureScoreControlsNames: { 1 item value: "[parameters('secureScoreControlsNames')]" } , recommendationSeverities: { 1 item value: "[parameters('recommendationSeverities')]" } , alertSeverities: { 1 item value: "[parameters('alertSeverities')]" } , regulatoryComplianceStandardsNames: { 1 item value: "[parameters('regulatoryComplianceStandardsNames')]" } , eventHubDetails: { 1 item value: "[parameters('eventHubDetails')]" } } } } } } } }