last sync: 2025-May-27 20:12:32 UTC

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Azure BuiltIn Policy definition

Source Azure Portal
Display name Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data
Id ffb6f416-7bd2-4488-8828-56585fef2be9
Version 4.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
4.1.0
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '4.1.0'
Repository: Azure-Policy ffb6f416-7bd2-4488-8828-56585fef2be9
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Fixed
deployIfNotExists
RBAC role(s)
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Rule aliases THEN-ExistenceCondition (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/automations/isEnabled Microsoft.Security automations properties.isEnabled True False
Microsoft.Security/automations/sources[*] Microsoft.Security automations properties.sources[*] True False
Microsoft.Security/automations/sources[*].eventSource Microsoft.Security automations properties.sources[*].eventSource True False
Rule resource types IF (1)
THEN-Deployment (4)
Compliance Not a Compliance control
Initiatives usage
Rows: 1-2 / 2
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Deploy Microsoft Defender for Cloud configuration Deploy-MDFC-Config Security Center Deprecated ALZ
Deploy Microsoft Defender for Cloud configuration Deploy-MDFC-Config_20240319 Security Center GA ALZ
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-08 16:32:07 change Minor (4.0.1 > 4.1.0)
2022-06-24 19:15:47 change Patch (4.0.0 > 4.0.1)
2021-07-30 15:17:20 change Major (3.0.0 > 4.0.0)
2021-02-03 15:09:01 change Major (2.0.0 > 3.0.0)
2020-12-11 15:42:52 change Major (1.0.0 > 2.0.0)
2020-05-29 15:39:09 add ffb6f416-7bd2-4488-8828-56585fef2be9
JSON compare
compare mode: version left: version right:
4.0.1 → 4.1.0 RENAMED
@@ -1,11 +1,11 @@
1
  {
2
- "displayName": "Deploy export to Log Analytics workspace for Azure Security Center data",
3
  "policyType": "BuiltIn",
4
  "mode": "All",
5
- "description": "Enable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
6
  "metadata": {
7
- "version": "4.0.1",
8
  "category": "Security Center"
9
  },
10
  "parameters": {
11
  "resourceGroupName": {
@@ -48,9 +48,11 @@
48
  "Secure score controls",
49
  "Regulatory compliance",
50
  "Overall secure score - snapshot",
51
  "Secure score controls - snapshot",
52
- "Regulatory compliance - snapshot"
 
 
53
  ],
54
  "defaultValue": [
55
  "Security recommendations",
56
  "Security alerts",
@@ -58,9 +60,11 @@
58
  "Secure score controls",
59
  "Regulatory compliance",
60
  "Overall secure score - snapshot",
61
  "Secure score controls - snapshot",
62
- "Regulatory compliance - snapshot"
 
 
63
  ]
64
  },
65
  "recommendationNames": {
66
  "type": "Array",
@@ -273,8 +277,32 @@
273
  "value": "[current('dataType')]",
274
  "equals": "Regulatory compliance - snapshot"
275
  }
276
  ]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
277
  }
278
  ]
279
  }
280
  },
@@ -355,9 +383,11 @@
355
  "Secure score controls": "SecureScoreControls",
356
  "Regulatory compliance": "RegulatoryComplianceAssessment",
357
  "Overall secure score - snapshot": "SecureScoresSnapshot",
358
  "Secure score controls - snapshot": "SecureScoreControlsSnapshot",
359
- "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot"
 
 
360
  },
361
  "alertSeverityMap": {
362
  "High": "high",
363
  "Medium": "medium",
@@ -475,9 +505,11 @@
475
  "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]",
476
  "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
477
  "Overall secure score - snapshot": null,
478
  "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]",
479
- "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]"
 
 
480
  },
481
  "sourcesWithoutSubAssessments": {
482
  "copy": [
483
  {
 
1
  {
2
+ "displayName": "Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data",
3
  "policyType": "BuiltIn",
4
  "mode": "All",
5
+ "description": "Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
6
  "metadata": {
7
+ "version": "4.1.0",
8
  "category": "Security Center"
9
  },
10
  "parameters": {
11
  "resourceGroupName": {
 
48
  "Secure score controls",
49
  "Regulatory compliance",
50
  "Overall secure score - snapshot",
51
  "Secure score controls - snapshot",
52
+ "Regulatory compliance - snapshot",
53
+ "Security recommendations - snapshot",
54
+ "Security findings - snapshot"
55
  ],
56
  "defaultValue": [
57
  "Security recommendations",
58
  "Security alerts",
 
60
  "Secure score controls",
61
  "Regulatory compliance",
62
  "Overall secure score - snapshot",
63
  "Secure score controls - snapshot",
64
+ "Regulatory compliance - snapshot",
65
+ "Security recommendations - snapshot",
66
+ "Security findings - snapshot"
67
  ]
68
  },
69
  "recommendationNames": {
70
  "type": "Array",
 
277
  "value": "[current('dataType')]",
278
  "equals": "Regulatory compliance - snapshot"
279
  }
280
  ]
281
+ },
282
+ {
283
+ "allOf": [
284
+ {
285
+ "field": "Microsoft.Security/automations/sources[*].eventSource",
286
+ "equals": "AssessmentsSnapshot"
287
+ },
288
+ {
289
+ "value": "[current('dataType')]",
290
+ "equals": "Security recommendations - snapshot"
291
+ }
292
+ ]
293
+ },
294
+ {
295
+ "allOf": [
296
+ {
297
+ "field": "Microsoft.Security/automations/sources[*].eventSource",
298
+ "equals": "SubAssessmentsSnapshot"
299
+ },
300
+ {
301
+ "value": "[current('dataType')]",
302
+ "equals": "Security findings - snapshot"
303
+ }
304
+ ]
305
  }
306
  ]
307
  }
308
  },
 
383
  "Secure score controls": "SecureScoreControls",
384
  "Regulatory compliance": "RegulatoryComplianceAssessment",
385
  "Overall secure score - snapshot": "SecureScoresSnapshot",
386
  "Secure score controls - snapshot": "SecureScoreControlsSnapshot",
387
+ "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot",
388
+ "Security recommendations - snapshot": "AssessmentsSnapshot",
389
+ "Security findings - snapshot": "SubAssessmentsSnapshot"
390
  },
391
  "alertSeverityMap": {
392
  "High": "high",
393
  "Medium": "medium",
 
505
  "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]",
506
  "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
507
  "Overall secure score - snapshot": null,
508
  "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]",
509
+ "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
510
+ "Security recommendations - snapshot": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]",
511
+ "Security findings - snapshot": "[variables('ruleSetsForSubAssessmentsObj')]"
512
  },
513
  "sourcesWithoutSubAssessments": {
514
  "copy": [
515
  {
JSON
api-version=2021-06-01
EPAC
{7 items
  • displayName: "Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data",
  • policyType: "BuiltIn",
  • mode: "All",
  • description: "Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.",
  • metadata: {2 items
    • version: "4.1.0",
    • category: "Security Center"
    },
  • parameters: {11 items
    • resourceGroupName: {2 items
      • type: "String",
      • metadata: {2 items
        • displayName: "Resource group name",
        • description: "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured."
        }
      },
    • resourceGroupLocation: {2 items
      • type: "String",
      • metadata: {3 items
        • displayName: "Resource group location",
        • description: "The location where the resource group and the export to Log Analytics workspace configuration are created.",
        • strongType: "location"
        }
      },
    • createResourceGroup: {4 items
      • type: "Boolean",
      • metadata: {2 items
        • displayName: "Create resource group",
        • description: "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
        },
      • allowedValues: [2 items
        • true,
        • false
        ],
      • defaultValue: true
      },
    • exportedDataTypes: {4 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Exported data types",
        • description: "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming."
        },
      • allowedValues: [10 items
        • "Security recommendations",
        • "Security alerts",
        • "Overall secure score",
        • "Secure score controls",
        • "Regulatory compliance",
        • "Overall secure score - snapshot",
        • "Secure score controls - snapshot",
        • "Regulatory compliance - snapshot",
        • "Security recommendations - snapshot",
        • "Security findings - snapshot"
        ],
      • defaultValue: [10 items
        • "Security recommendations",
        • "Security alerts",
        • "Overall secure score",
        • "Secure score controls",
        • "Regulatory compliance",
        • "Overall secure score - snapshot",
        • "Secure score controls - snapshot",
        • "Regulatory compliance - snapshot",
        • "Security recommendations - snapshot",
        • "Security findings - snapshot"
        ]
      },
    • recommendationNames: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Recommendation IDs",
        • description: "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments."
        },
      • defaultValue: []
      },
    • recommendationSeverities: {4 items},
    • isSecurityFindingsEnabled: {4 items
      • type: "Boolean",
      • metadata: {2 items
        • displayName: "Include security findings",
        • description: "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation."
        },
      • allowedValues: [2 items
        • true,
        • false
        ],
      • defaultValue: true
      },
    • secureScoreControlsNames: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Secure Score Controls IDs",
        • description: "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols."
        },
      • defaultValue: []
      },
    • alertSeverities: {4 items},
    • regulatoryComplianceStandardsNames: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Regulatory compliance standards names",
        • description: "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards."
        },
      • defaultValue: []
      },
    • workspaceResourceId: {2 items
      • type: "String",
      • metadata: {4 items
        • displayName: "Log Analytics workspace",
        • description: "The Log Analytics workspace of where the data should be exported to.",
        • strongType: "Microsoft.OperationalInsights/workspaces",
        • assignPermissions: true
        }
      }
    },
  • policyRule: {2 items
    • if: {2 items
      • field: "type",
      • equals: "Microsoft.Resources/subscriptions"
      },
    • then: {2 items
      • effect: "deployIfNotExists",
      • details: {8 items
        • type: "Microsoft.Security/automations",
        • name: "ExportToWorkspace",
        • existenceScope: "resourcegroup",
        • ResourceGroupName: "[parameters('resourceGroupName')]",
        • deploymentScope: "subscription",
        • roleDefinitionIds: [1 item
          • "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" Contributor
          ],
        • existenceCondition: {1 item
          • allOf: [3 items
            • {2 items
              • field: "Microsoft.Security/automations/isEnabled",
              • equals: true
              },
            • {2 items
              • count: {1 item
                • field: "Microsoft.Security/automations/sources[*]"
                },
              • equals: 🔍"[ if( parameters('isSecurityFindingsEnabled'), add( length( parameters('exportedDataTypes') ), 1 ), length( parameters('exportedDataTypes') ) ) ]"
              },
            • {2 items
              • count: {3 items
                • value: "[parameters('exportedDataTypes')]",
                • name: "dataType",
                • where: {2 items
                  • count: {2 items
                    • field: "Microsoft.Security/automations/sources[*]",
                    • where: {1 item
                      • anyOf: [10 items
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "Assessments"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Security recommendations"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "Alerts"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Security alerts"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "SecureScores"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Overall secure score"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "SecureScoreControls"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Secure score controls"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "RegulatoryComplianceAssessment"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Regulatory compliance"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "SecureScoresSnapshot"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Overall secure score - snapshot"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "SecureScoreControlsSnapshot"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Secure score controls - snapshot"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "RegulatoryComplianceAssessmentSnapshot"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Regulatory compliance - snapshot"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "AssessmentsSnapshot"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Security recommendations - snapshot"
                              }
                            ]
                          },
                        • {1 item
                          • allOf: [2 items
                            • {2 items
                              • field: "Microsoft.Security/automations/sources[*].eventSource",
                              • equals: "SubAssessmentsSnapshot"
                              },
                            • {2 items
                              • value: 🔍"[ current( 'dataType' ) ]",
                              • equals: "Security findings - snapshot"
                              }
                            ]
                          }
                        ]
                      }
                    },
                  • equals: 1
                  }
                },
              • equals: 🔍"[ length( parameters('exportedDataTypes') ) ]"
              }
            ]
          },
        • deployment: {2 items
          • location: "westeurope",
          • properties: {3 items
            • mode: "incremental",
            • template: {5 items
              • $schema: "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
              • contentVersion: "1.0.0.0",
              • parameters: {12 items},
              • variables: {31 items
                • scopeDescription: "scope for subscription {0}",
                • subAssessmentRuleExpectedValue: "/assessments/{0}/",
                • recommendationNamesLength: 🔍"[ length( parameters('recommendationNames') ) ]",
                • secureScoreControlsNamesLength: 🔍"[ length( parameters('secureScoreControlsNames') ) ]",
                • secureScoreControlsLengthIfEmpty: 🔍"[ if( equals( variables( 'secureScoreControlsNamesLength' ), 0 ), 1, variables( 'secureScoreControlsNamesLength' ) ) ]",
                • regulatoryComplianceStandardsNamesLength: 🔍"[ length( parameters('regulatoryComplianceStandardsNames') ) ]",
                • regulatoryComplianceStandardsNamesLengthIfEmpty: 🔍"[ if( equals( variables( 'regulatoryComplianceStandardsNamesLength' ), 0 ), 1, variables( 'regulatoryComplianceStandardsNamesLength' ) ) ]",
                • recommendationSeveritiesLength: 🔍"[ length( parameters('recommendationSeverities') ) ]",
                • alertSeveritiesLength: 🔍"[ length( parameters('alertSeverities') ) ]",
                • recommendationNamesLengthIfEmpty: 🔍"[ if( equals( variables( 'recommendationNamesLength' ), 0 ), 1, variables( 'recommendationNamesLength' ) ) ]",
                • recommendationSeveritiesLengthIfEmpty: 🔍"[ if( equals( variables( 'recommendationSeveritiesLength' ), 0 ), 1, variables( 'recommendationSeveritiesLength' ) ) ]",
                • alertSeveritiesLengthIfEmpty: 🔍"[ if( equals( variables( 'alertSeveritiesLength' ), 0 ), 1, variables( 'alertSeveritiesLength' ) ) ]",
                • totalRuleCombinationsForOneRecommendationName: "[variables('recommendationSeveritiesLengthIfEmpty')]",
                • totalRuleCombinationsForOneRecommendationSeverity: 1,
                • exportedDataTypesLength: 🔍"[ length( parameters('exportedDataTypes') ) ]",
                • exportedDataTypesLengthIfEmpty: 🔍"[ if( equals( variables( 'exportedDataTypesLength' ), 0 ), 1, variables( 'exportedDataTypesLength' ) ) ]",
                • dataTypeMap: {10 items
                  • Security recommendations: "Assessments",
                  • Security alerts: "Alerts",
                  • Overall secure score: "SecureScores",
                  • Secure score controls: "SecureScoreControls",
                  • Regulatory compliance: "RegulatoryComplianceAssessment",
                  • Overall secure score - snapshot: "SecureScoresSnapshot",
                  • Secure score controls - snapshot: "SecureScoreControlsSnapshot",
                  • Regulatory compliance - snapshot: "RegulatoryComplianceAssessmentSnapshot",
                  • Security recommendations - snapshot: "AssessmentsSnapshot",
                  • Security findings - snapshot: "SubAssessmentsSnapshot"
                  },
                • alertSeverityMap: {3 items
                  • High: "high",
                  • Medium: "medium",
                  • Low: "low"
                  },
                • ruleSetsForAssessmentsObj: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "ruleSetsForAssessmentsArr",
                      • count: 🔍"[ mul( variables( 'recommendationNamesLengthIfEmpty' ), variables( 'recommendationSeveritiesLengthIfEmpty' ) ) ]",
                      • input: {1 item
                        • rules: [2 items
                          • {4 items
                            • propertyJPath: 🔍"[ if( equals( variables( 'recommendationNamesLength' ), 0 ), 'type', 'name' ) ]",
                            • propertyType: "string",
                            • expectedValue: 🔍"[ if( equals( variables( 'recommendationNamesLength' ), 0 ), 'Microsoft.Security/assessments', parameters('recommendationNames')[ mod( div( copyIndex( 'ruleSetsForAssessmentsArr' ), variables( 'totalRuleCombinationsForOneRecommendationName' ) ), variables( 'recommendationNamesLength' ) ) ] ) ]",
                            • operator: "Contains"
                            },
                          • {4 items
                            • propertyJPath: "properties.metadata.severity",
                            • propertyType: "string",
                            • expectedValue: "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]",
                            • operator: "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                • customRuleSetsForSubAssessmentsObj: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "ruleSetsForSubAssessmentsArr",
                      • count: "[variables('recommendationNamesLengthIfEmpty')]",
                      • input: {1 item
                        • rules: [1 item
                          • {4 items
                            • propertyJPath: "id",
                            • propertyType: "string",
                            • expectedValue: 🔍"[ if( equals( variables( 'recommendationNamesLength' ), 0 ), json( 'null' ), replace( variables( 'subAssessmentRuleExpectedValue' ), '{ 0 }', parameters('recommendationNames')[ copyIndex( 'ruleSetsForSubAssessmentsArr' ) ] ) ) ]",
                            • operator: "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                • ruleSetsForAlertsObj: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "ruleSetsForAlertsArr",
                      • count: "[variables('alertSeveritiesLengthIfEmpty')]",
                      • input: {1 item
                        • rules: [1 item
                          • {4 items
                            • propertyJPath: "Severity",
                            • propertyType: "string",
                            • expectedValue: "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]",
                            • operator: "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                • customRuleSetsForSecureScoreControlsObj: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "ruleSetsForSecureScoreControlsArr",
                      • count: "[variables('secureScoreControlsLengthIfEmpty')]",
                      • input: {1 item
                        • rules: [1 item
                          • {4 items
                            • propertyJPath: "name",
                            • propertyType: "string",
                            • expectedValue: 🔍"[ if( equals( variables( 'secureScoreControlsNamesLength' ), 0 ), json( 'null' ), parameters('secureScoreControlsNames')[ copyIndex( 'ruleSetsForSecureScoreControlsArr' ) ] ) ]",
                            • operator: "Equals"
                            }
                          ]
                        }
                      }
                    ]
                  },
                • customRuleSetsForRegulatoryComplianceObj: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "ruleSetsForRegulatoryCompliancArr",
                      • count: "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]",
                      • input: {1 item
                        • rules: [1 item
                          • {4 items
                            • propertyJPath: "id",
                            • propertyType: "string",
                            • expectedValue: 🔍"[ if( equals( variables( 'regulatoryComplianceStandardsNamesLength' ), 0 ), json( 'null' ), parameters('regulatoryComplianceStandardsNames')[ copyIndex( 'ruleSetsForRegulatoryCompliancArr' ) ] ) ]",
                            • operator: "Contains"
                            }
                          ]
                        }
                      }
                    ]
                  },
                • ruleSetsForSecureScoreControlsObj: 🔍"[ if( equals( variables( 'secureScoreControlsNamesLength' ), 0 ), json( 'null' ), variables( 'customRuleSetsForSecureScoreControlsObj' ).ruleSetsForSecureScoreControlsArr ) ]",
                • ruleSetsForSecureRegulatoryComplianceObj: 🔍"[ if( equals( variables( 'regulatoryComplianceStandardsNamesLength' ), 0 ), json( 'null' ), variables( 'customRuleSetsForRegulatoryComplianceObj' ).ruleSetsForRegulatoryCompliancArr ) ]",
                • ruleSetsForSubAssessmentsObj: 🔍"[ if( equals( variables( 'recommendationNamesLength' ), 0 ), json( 'null' ), variables( 'customRuleSetsForSubAssessmentsObj' ).ruleSetsForSubAssessmentsArr ) ]",
                • subAssessmentSource: [1 item
                  • {2 items
                    • eventSource: "SubAssessments",
                    • ruleSets: "[variables('ruleSetsForSubAssessmentsObj')]"
                    }
                  ],
                • ruleSetsMap: {10 items
                  • Security recommendations: "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]",
                  • Security alerts: "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]",
                  • Overall secure score: null,
                  • Secure score controls: "[variables('ruleSetsForSecureScoreControlsObj')]",
                  • Regulatory compliance: "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
                  • Overall secure score - snapshot: null,
                  • Secure score controls - snapshot: "[variables('ruleSetsForSecureScoreControlsObj')]",
                  • Regulatory compliance - snapshot: "[variables('ruleSetsForSecureRegulatoryComplianceObj')]",
                  • Security recommendations - snapshot: "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]",
                  • Security findings - snapshot: "[variables('ruleSetsForSubAssessmentsObj')]"
                  },
                • sourcesWithoutSubAssessments: {1 item
                  • copy: [1 item
                    • {3 items
                      • name: "sources",
                      • count: "[variables('exportedDataTypesLengthIfEmpty')]",
                      • input: {2 items
                        • eventSource: "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]",
                        • ruleSets: "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]"
                        }
                      }
                    ]
                  },
                • sourcesWithSubAssessments: 🔍"[ concat( variables( 'subAssessmentSource' ), variables( 'sourcesWithoutSubAssessments' ).sources ) ]",
                • sources: 🔍"[ if( equals( parameters('isSecurityFindingsEnabled'), bool( 'true' ) ), variables( 'sourcesWithSubAssessments' ), variables( 'sourcesWithoutSubAssessments' ).sources ) ]"
                },
              • resources: [2 items
                • {5 items
                  • condition: "[parameters('createResourceGroup')]",
                  • name: "[parameters('resourceGroupName')]",
                  • type: "Microsoft.Resources/resourceGroups",
                  • apiVersion: "2019-10-01",
                  • location: "[parameters('resourceGroupLocation')]"
                  },
                • {6 items
                  • type: "Microsoft.Resources/deployments",
                  • apiVersion: "2019-10-01",
                  • name: 🔍"[ concat( 'nestedAutomationDeployment', '_', parameters('guidValue') ) ]",
                  • resourceGroup: "[parameters('resourceGroupName')]",
                  • dependsOn: [1 item
                    • 🔍"[ resourceId( 'Microsoft.Resources/resourceGroups/', parameters('resourceGroupName') ) ]"
                    ],
                  • properties: {2 items
                    • mode: "Incremental",
                    • template: {5 items
                      • $schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                      • contentVersion: "1.0.0.0",
                      • parameters: {},
                      • variables: {},
                      • resources: [1 item
                        • {7 items
                          • tags: {},
                          • apiVersion: "2019-01-01-preview",
                          • location: "[parameters('resourceGroupLocation')]",
                          • name: "ExportToWorkspace",
                          • type: "Microsoft.Security/automations",
                          • dependsOn: [],
                          • properties: {5 items
                            • description: "Export Microsoft Defender for Cloud data to Log Analytics workspace via policy",
                            • isEnabled: true,
                            • scopes: [1 item
                              • {2 items
                                • description: 🔍"[ replace( variables( 'scopeDescription' ), '{ 0 }', subscription().subscriptionId ) ]",
                                • scopePath: "[subscription().id]"
                                }
                              ],
                            • sources: "[variables('sources')]",
                            • actions: [1 item
                              • {2 items
                                • actionType: "Workspace",
                                • workspaceResourceId: "[parameters('workspaceResourceId')]"
                                }
                              ]
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
            • parameters: {11 items}
            }
          }
        }
      }
    }
}