From 2b04d6812ea14997b945118dca7e5bbfaa3fa9dc Mon Sep 17 00:00:00 2001 From: Azure Policy Bot Date: Mon, 18 Sep 2023 16:33:24 +0000 Subject: [PATCH] Built-in Policy Release 2d6b82a4 --- ...Kubernetes_AKS_SecurityProfile_Deploy.json | 72 ++++----------- .../MDC_DfSQL_AMA_DefaultPipeline_Arc.json | 10 +-- .../MDC_DfSQL_AMA_DefaultPipeline_VM.json | 61 +++++++++++-- ...C_DfSQL_AMA_UserWorkspacePipeline_Arc.json | 32 +++++-- ...DC_DfSQL_AMA_UserWorkspacePipeline_VM.json | 89 ++++++++++++++++--- .../MDC_DfSQL_AddUserAssignedIdentity_VM.json | 11 +-- .../MDC_DfSQL_DeployDefaultWorkspace.json | 8 +- ...teMgmtCenter_AutoAssessmentMode_Audit.json | 6 +- ...tCenter_CRP_AutoAssessmentMode_Modify.json | 6 +- ...Center_HCRP_AutoAssessmentMode_Modify.json | 6 +- ...teMgmtCenter_ScheduledPatching_Deploy.json | 10 +-- .../AllowedACRs_EnforceSetting.json | 5 +- .../AllowedLogFilter_EnforceSetting.json | 5 +- .../AllowedModuleAuthors_EnforceSetting.json | 5 +- ...dPythonPackageChannels_EnforceSetting.json | 5 +- .../AllowedSigningKey_EnforceSetting.json | 5 +- .../ApprovalEndpoint_EnforceSetting.json | 5 +- ...ntExtension_Linux_HybridVM_Deploy_AMA.json | 9 +- ...yAgentExtension_Linux_VMSS_Deploy_AMA.json | 9 +- ...ncyAgentExtension_Linux_VM_Deploy_AMA.json | 9 +- ...Extension_Windows_HybridVM_Deploy_AMA.json | 9 +- ...gentExtension_Windows_VMSS_Deploy_AMA.json | 9 +- ...yAgentExtension_Windows_VM_Deploy_AMA.json | 9 +- .../MDC_DfSQL_AMA_DefaultPipeline_Arc.json | 10 +-- ...DC_DfSQL_AMA_DefaultPipeline_DCRA_Arc.json | 10 +-- .../MDC_DfSQL_AMA_DefaultPipeline_VM.json | 61 +++++++++++-- ...C_DfSQL_AMA_UserWorkspacePipeline_Arc.json | 32 +++++-- ...QL_AMA_UserWorkspacePipeline_DCRA_Arc.json | 28 ++++-- ...DC_DfSQL_AMA_UserWorkspacePipeline_VM.json | 89 ++++++++++++++++--- .../MDC_DfSQL_AddUserAssignedIdentity_VM.json | 11 +-- .../MDC_DfSQL_DeployDefaultWorkspace.json | 8 +- ...crosoftDefenderForSQLWindowsAgent_Arc.json | 8 +- ...icrosoftDefenderForSQLWindowsAgent_VM.json | 28 ++++-- .../MDC_DfSQL_DeployWindowsAMA_Arc.json | 8 +- .../MDC_DfSQL_DeployWindowsAMA_VM.json | 8 +- .../policyDefinitions/Tags/DenyTag.json | 8 +- .../MDC_DfSQL_AMA_DefaultWorkspace.json | 26 ++++-- .../MDC_DfSQL_AMA_UserWorkspace.json | 37 ++++++-- .../MDC_DfSQL_AMA_DefaultWorkspace.json | 26 ++++-- .../MDC_DfSQL_AMA_UserWorkspace.json | 37 ++++++-- .../policySetDefinitions/Tags/DenyTag.json | 8 +- 41 files changed, 578 insertions(+), 260 deletions(-) rename built-in-policies/policyDefinitions/{Update Management Center => Azure Update Manager}/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json (99%) rename built-in-policies/policyDefinitions/{Update Management Center => Azure Update Manager}/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json (99%) rename built-in-policies/policyDefinitions/{Update Management Center => Azure Update Manager}/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json (97%) rename built-in-policies/policyDefinitions/{Update Management Center => Azure Update Manager}/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json (98%) diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Deploy.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Deploy.json index 67f3f94cb..76ca509f4 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Deploy.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks.", "metadata": { - "version": "4.0.4", + "version": "4.1.0", "category": "Kubernetes" }, - "version": "4.0.4", + "version": "4.1.0", "parameters": { "effect": { "type": "String", @@ -90,56 +90,14 @@ }, "variables": { "locationLongNameToShortMap": { - "australiacentral": "CAU", - "australiacentral2": "CBR2", - "australiaeast": "EAU", - "australiasoutheast": "SEAU", - "brazilsouth": "CQ", - "brazilsoutheast": "BRSE", - "canadacentral": "CCA", - "canadaeast": "YQ", - "centralindia": "CIN", - "centralus": "CUS", - "eastasia": "EA", - "eastus": "EUS", - "eastus2": "EUS2", - "eastus2euap": "eus2p", - "germanywestcentral": "DEWC", - "francecentral": "PAR", - "francesouth": "MRS", - "japaneast": "EJP", - "japanwest": "OS", - "jioindiacentral": "JINC", - "jioindiawest": "JINW", - "koreacentral": "SE", - "koreasouth": "PS", - "northcentralus": "NCUS", - "northeurope": "NEU", - "norwayeast": "NOE", - "norwaywest": "NOW", - "southafricanorth": "JNB", - "southcentralus": "SCUS", - "southeastasia": "SEA", - "southindia": "MA", - "swedencentral": "SEC", - "switzerlandnorth": "CHN", - "switzerlandwest": "CHW", - "uaecentral": "AUH", - "uaenorth": "DXB", - "uksouth": "SUK", - "ukwest": "WUK", - "westcentralus": "WCUS", - "westeurope": "WEU", - "westus": "WUS", - "westus2": "WUS2", - "westus3": "USW3", "usgovvirginia": "USGV", - "usgovarizona": "USGA", - "chinaeast3": "NE3", - "chinanorth3": "NN3", - "chinaeast2": "E2" + "usgovarizona": "USGA" }, - "locationCode": "[variables('locationLongNameToShortMap')[parameters('clusterRegion')]]", + "alternativeLocation": { + "usgovtexas": "usgovarizona" + }, + "actualLogAResourceLocation": "[if(contains(variables('locationLongNameToShortMap'), parameters('clusterRegion')), parameters('clusterRegion'), variables('alternativeLocation')[parameters('clusterRegion')])]", + "locationCode": "[variables('locationLongNameToShortMap')[variables('actualLogAResourceLocation')]]", "subscriptionId": "[subscription().subscriptionId]", "shouldProvisionDefaultWorkspace": "[empty(parameters('logAnalyticsWorkspaceResourceId'))]", "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]", @@ -152,7 +110,7 @@ "type": "Microsoft.Resources/resourceGroups", "name": "[variables('defaultRGName')]", "apiVersion": "2019-05-01", - "location": "[parameters('clusterRegion')]" + "location": "[variables('actualLogAResourceLocation')]" }, { "condition": "[variables('shouldProvisionDefaultWorkspace')]", @@ -166,8 +124,8 @@ "scope": "inner" }, "parameters": { - "clusterRegion": { - "value": "[parameters('clusterRegion')]" + "resourceLocation": { + "value": "[variables('actualLogAResourceLocation')]" }, "workspaceName": { "value": "[variables('workspaceName')]" @@ -177,7 +135,7 @@ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "clusterRegion": { + "resourceLocation": { "type": "string" }, "workspaceName": { @@ -190,7 +148,7 @@ "type": "Microsoft.OperationalInsights/workspaces", "name": "[parameters('workspaceName')]", "apiVersion": "2021-06-01", - "location": "[parameters('clusterRegion')]", + "location": "[parameters('resourceLocation')]", "properties": { "sku": { "name": "pernode" @@ -230,7 +188,7 @@ "value": "[parameters('clusterRegion')]" }, "aksClusterContent": { - "value": "[reference(parameters('clusterResourceId'), '2022-06-01', 'Full')]" + "value": "[reference(parameters('clusterResourceId'), '2023-05-01', 'Full')]" } }, "template": { @@ -254,7 +212,7 @@ { "type": "Microsoft.ContainerService/ManagedClusters", "name": "[parameters('clusterName')]", - "apiVersion": "2022-06-01", + "apiVersion": "2023-05-01", "location": "[parameters('clusterRegion')]", "properties": { "securityProfile": { diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json index 68ce5e4d0..6f28e8a2d 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Windows Arc machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.0.1-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.0.1-preview", "preview": true }, "parameters": { @@ -316,7 +316,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json index 93968e910..1ef9a9ecf 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows SQL virtual machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows SQL virtual machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.1.0-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Security Center", "preview": true }, @@ -119,7 +119,8 @@ "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", - "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" }, "resources": [ { @@ -128,6 +129,54 @@ "apiVersion": "2022-09-01", "location": "[variables('defaultRGLocation')]" }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "name": "[variables('deployDataCollectionRules')]", @@ -304,7 +353,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this virtual machine.", + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json index 6817743e2..bb9970667 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Windows Arc machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.1.0-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, "parameters": { @@ -27,7 +27,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -35,10 +35,18 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the Arc machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" } }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -87,7 +95,7 @@ }, { "field": "name", - "equals": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]" + "equals": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]" } ] }, @@ -108,6 +116,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -128,6 +139,9 @@ "workspaceRegion": { "type": "string" }, + "userWorkspaceId": { + "type": "string" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "bool" } @@ -136,7 +150,7 @@ "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', parameters('workspaceRegion'))]", "defaultRGLocation": "[parameters('workspaceRegion')]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", @@ -304,7 +318,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json index f979f4592..e4cfd6c14 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows SQL machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows SQL machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.1.0-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Security Center", "preview": true }, @@ -27,7 +27,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -35,10 +35,18 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the Windows SQL machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" } }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -87,7 +95,7 @@ }, { "field": "name", - "equals": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]" + "equals": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]" } ] }, @@ -99,6 +107,9 @@ "resourceGroup": { "value": "[resourceGroup().name]" }, + "location": { + "value": "[field('location')]" + }, "vmName": { "value": "[first(split(field('fullName'), '/'))]" }, @@ -108,6 +119,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -119,6 +133,9 @@ "resourceGroup": { "type": "string" }, + "location": { + "type": "string" + }, "vmName": { "type": "string" }, @@ -128,6 +145,9 @@ "workspaceRegion": { "type": "string" }, + "userWorkspaceId": { + "type": "string" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "bool" } @@ -136,11 +156,12 @@ "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', parameters('workspaceRegion'))]", "defaultRGLocation": "[parameters('workspaceRegion')]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", - "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" }, "resources": [ { @@ -149,6 +170,54 @@ "apiVersion": "2022-09-01", "location": "[variables('defaultRGLocation')]" }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "name": "[variables('deployDataCollectionRules')]", @@ -304,7 +373,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this virtual machine.", + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json index 9c2191699..a646f57cd 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Assign built-in user-assigned managed identity to SQL Virtual Machines", + "displayName": "[Preview]: Create and assign a built-in user-assigned managed identity", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy.", - "version": "1.0.0-preview", + "description": "Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.", + "version": "1.1.0-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Security Center", "preview": true }, @@ -16,7 +16,8 @@ "metadata": { "displayName": "Built-In-Identity-RG Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "usgovvirginia" }, "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json index 35bcf5154..54b0bec7d 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json +++ b/built-in-policies/policyDefinitions/Azure Government/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows machines to create the default Microsoft Defender for SQL workspace", + "displayName": "[Preview]: Configure the Microsoft Defender for SQL Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine.", + "version": "1.0.1-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.0.1-preview", "category": "Security Center", "preview": true }, diff --git a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json similarity index 99% rename from built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json rename to built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json index d04c0f0de..ed7b058af 100644 --- a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json +++ b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json @@ -5,11 +5,11 @@ "mode": "Indexed", "description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "3.3.0-preview", - "category": "Update Management Center", + "version": "3.4.0-preview", + "category": "Azure Update Manager", "preview": true }, - "version": "3.3.0-preview", + "version": "3.4.0-preview", "parameters": { "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json similarity index 99% rename from built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json rename to built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json index 05235f6dd..6ef2b78fd 100644 --- a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json +++ b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json @@ -5,11 +5,11 @@ "mode": "Indexed", "description": "Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "4.3.0-preview", - "category": "Update Management Center", + "version": "4.4.0-preview", + "category": "Azure Update Manager", "preview": true }, - "version": "4.3.0-preview", + "version": "4.4.0-preview", "parameters": { "assessmentMode": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json similarity index 97% rename from built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json rename to built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json index 12f1c8e79..016f37358 100644 --- a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json +++ b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json @@ -5,11 +5,11 @@ "mode": "Indexed", "description": "Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "2.1.0-preview", - "category": "Update Management Center", + "version": "2.2.0-preview", + "category": "Azure Update Manager", "preview": true }, - "version": "2.1.0-preview", + "version": "2.2.0-preview", "parameters": { "assessmentMode": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json similarity index 98% rename from built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json rename to built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json index bd7ef97ee..62bf6aaa5 100644 --- a/built-in-policies/policyDefinitions/Update Management Center/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json +++ b/built-in-policies/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json @@ -1,15 +1,15 @@ { "properties": { - "displayName": "[Preview]: Schedule recurring updates using Update Management Center", + "displayName": "[Preview]: Schedule recurring updates using Azure Update Manager", "policyType": "BuiltIn", "mode": "Indexed", - "description": "You can use update management center (private preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching", + "description": "You can use Azure Update Manager (preview) in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching", "metadata": { - "version": "3.8.0-preview", - "category": "Update Management Center", + "version": "3.9.0-preview", + "category": "Azure Update Manager", "preview": true }, - "version": "3.8.0-preview", + "version": "3.9.0-preview", "parameters": { "maintenanceConfigurationResourceId": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowedACRs_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/AllowedACRs_EnforceSetting.json index 3102b5705..6108101ee 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/AllowedACRs_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowedACRs_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "6.1.0-preview", + "version": "6.2.0-preview", "category": "Machine Learning", "preview": true }, - "version": "6.1.0-preview", + "version": "6.2.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -29,6 +29,7 @@ "MachineLearningCompute", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowedLogFilter_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/AllowedLogFilter_EnforceSetting.json index 675d11473..9093835cd 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/AllowedLogFilter_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowedLogFilter_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "5.2.0-preview", + "version": "5.3.0-preview", "category": "Machine Learning", "preview": true }, - "version": "5.2.0-preview", + "version": "5.3.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -30,6 +30,7 @@ "SynapseSpark", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowedModuleAuthors_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/AllowedModuleAuthors_EnforceSetting.json index ba25a7afa..58ff22ca8 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/AllowedModuleAuthors_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowedModuleAuthors_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "6.2.0-preview", + "version": "6.3.0-preview", "category": "Machine Learning", "preview": true }, - "version": "6.2.0-preview", + "version": "6.3.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -32,6 +32,7 @@ "SynapseSpark", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowedPythonPackageChannels_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/AllowedPythonPackageChannels_EnforceSetting.json index cad7505b0..62decb4ba 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/AllowedPythonPackageChannels_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowedPythonPackageChannels_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "5.2.0-preview", + "version": "5.3.0-preview", "category": "Machine Learning", "preview": true }, - "version": "5.2.0-preview", + "version": "5.3.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -30,6 +30,7 @@ "SynapseSpark", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Machine Learning/AllowedSigningKey_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/AllowedSigningKey_EnforceSetting.json index be479e9d2..ae74f3f3d 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/AllowedSigningKey_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/AllowedSigningKey_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "6.2.0-preview", + "version": "6.3.0-preview", "category": "Machine Learning", "preview": true }, - "version": "6.2.0-preview", + "version": "6.3.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -32,6 +32,7 @@ "SynapseSpark", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Machine Learning/ApprovalEndpoint_EnforceSetting.json b/built-in-policies/policyDefinitions/Machine Learning/ApprovalEndpoint_EnforceSetting.json index fc7103841..4366a4f05 100644 --- a/built-in-policies/policyDefinitions/Machine Learning/ApprovalEndpoint_EnforceSetting.json +++ b/built-in-policies/policyDefinitions/Machine Learning/ApprovalEndpoint_EnforceSetting.json @@ -5,11 +5,11 @@ "mode": "Microsoft.MachineLearningServices.Data", "description": "Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc.", "metadata": { - "version": "5.2.0-preview", + "version": "5.3.0-preview", "category": "Machine Learning", "preview": true }, - "version": "5.2.0-preview", + "version": "5.3.0-preview", "parameters": { "computeNames": { "type": "Array", @@ -32,6 +32,7 @@ "SynapseSpark", "ComputeInstance", "ManagedEndpoint", + "Singularity", "Any" ], "defaultValue": "Any" diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json index 12509f48f..2feb71e3f 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings", + "displayName": "Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.1.2", + "category": "Monitoring" }, - "version": "1.1.1-preview", + "version": "1.1.2", "parameters": { "effect": { "type": "string", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json index 170fe5b87..7bb7dc48b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings", + "displayName": "Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "metadata": { - "version": "3.1.0-preview", - "category": "Monitoring", - "preview": true + "version": "3.1.1", + "category": "Monitoring" }, - "version": "3.1.0-preview", + "version": "3.1.1", "parameters": { "listOfImageIdToInclude": { "type": "Array", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json index 1f991434f..875b09b84 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings", + "displayName": "Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.", "metadata": { - "version": "3.1.0-preview", - "category": "Monitoring", - "preview": true + "version": "3.1.1", + "category": "Monitoring" }, - "version": "3.1.0-preview", + "version": "3.1.1", "parameters": { "listOfImageIdToInclude": { "type": "Array", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json index 947b60980..ba7d52c2c 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings", + "displayName": "Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.1.2", + "category": "Monitoring" }, - "version": "1.1.1-preview", + "version": "1.1.2", "parameters": { "effect": { "type": "string", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json index 2f6a174b4..fff860232 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings", + "displayName": "Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.", "metadata": { - "version": "1.2.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.2.2", + "category": "Monitoring" }, - "version": "1.2.1-preview", + "version": "1.2.2", "parameters": { "listOfImageIdToInclude": { "type": "Array", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json index b2fb17b7b..e571d5b6b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings", + "displayName": "Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.", "metadata": { - "version": "1.2.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.2.2", + "category": "Monitoring" }, - "version": "1.2.1-preview", + "version": "1.2.2", "parameters": { "listOfImageIdToInclude": { "type": "Array", diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json index e052dd087..ca13401b4 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Windows Arc machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.1.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.1.1-preview", "metadata": { "category": "Security Center", - "version": "1.1.0-preview", + "version": "1.1.1-preview", "preview": true }, "parameters": { @@ -356,7 +356,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc.json index 1d340e050..7bd0ca7e9 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Association to link Windows Arc machines to default Microsoft Defender for SQL Data Collection Rule", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", - "version": "1.0.0-preview", + "description": "Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.", + "version": "1.0.1-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.0.1-preview", "preview": true }, "parameters": { @@ -131,7 +131,7 @@ "name": "[variables('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[variables('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json index 3ea1675bd..e567f62c0 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows SQL virtual machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows SQL virtual machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.1.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.2.0-preview", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Security Center", "preview": true }, @@ -159,7 +159,8 @@ "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", - "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" }, "resources": [ { @@ -168,6 +169,54 @@ "apiVersion": "2022-09-01", "location": "[variables('defaultRGLocation')]" }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "name": "[variables('deployDataCollectionRules')]", @@ -344,7 +393,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this virtual machine.", + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json index 9bc46f459..caccd89b3 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Windows Arc machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.1.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.2.0-preview", "metadata": { "category": "Security Center", - "version": "1.1.0-preview", + "version": "1.2.0-preview", "preview": true }, "parameters": { @@ -27,7 +27,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -35,10 +35,18 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the Arc machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" } }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -87,7 +95,7 @@ }, { "field": "name", - "equals": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]" + "equals": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]" } ] }, @@ -108,6 +116,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -128,6 +139,9 @@ "workspaceRegion": { "type": "string" }, + "userWorkspaceId": { + "type": "string" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "bool" } @@ -176,7 +190,7 @@ "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]", "defaultRGLocation": "[parameters('workspaceRegion')]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", @@ -344,7 +358,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc.json index 580317f2e..4cf27a9d3 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure Association to link Windows Arc machines to user-defined Microsoft Defender for SQL Data Collection Rule", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", - "version": "1.0.0-preview", + "description": "Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.", + "version": "1.1.0-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, "parameters": { @@ -27,9 +27,17 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the virtual machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" } + }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" } }, "policyRule": { @@ -70,6 +78,9 @@ }, "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } }, "template": { @@ -84,6 +95,9 @@ }, "workspaceRegion": { "type": "string" + }, + "userWorkspaceId": { + "type": "string" } }, "variables": { @@ -129,7 +143,7 @@ "locationCode": "[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" }, @@ -139,7 +153,7 @@ "name": "[variables('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this Arc machine.", + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", "dataCollectionRuleId": "[variables('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json index 012a9a37d..9c7991205 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows SQL machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure Windows SQL machines to create the Microsoft Defender for SQL user-defined pipeline using Azure Monitor Agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Create a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.1.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.2.0-preview", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Security Center", "preview": true }, @@ -27,7 +27,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -35,10 +35,18 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the Windows SQL machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" } }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -87,7 +95,7 @@ }, { "field": "name", - "equals": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]" + "equals": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]" } ] }, @@ -99,6 +107,9 @@ "resourceGroup": { "value": "[resourceGroup().name]" }, + "location": { + "value": "[field('location')]" + }, "vmName": { "value": "[first(split(field('fullName'), '/'))]" }, @@ -108,6 +119,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -119,6 +133,9 @@ "resourceGroup": { "type": "string" }, + "location": { + "type": "string" + }, "vmName": { "type": "string" }, @@ -128,6 +145,9 @@ "workspaceRegion": { "type": "string" }, + "userWorkspaceId": { + "type": "string" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "bool" } @@ -176,11 +196,12 @@ "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]", "defaultRGLocation": "[parameters('workspaceRegion')]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', parameters('workspaceRegion'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", "deployDataCollectionRules": "[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", - "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + "deployDataCollectionRulesAssociation": "[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" }, "resources": [ { @@ -189,6 +210,54 @@ "apiVersion": "2022-09-01", "location": "[variables('defaultRGLocation')]" }, + { + "type": "Microsoft.Resources/deployments", + "name": "[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[parameters('location')]", + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, { "type": "Microsoft.Resources/deployments", "name": "[variables('deployDataCollectionRules')]", @@ -344,7 +413,7 @@ "name": "[parameters('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this virtual machine.", + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", "dataCollectionRuleId": "[parameters('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json index 006a9ccf3..3aecd3abd 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Assign built-in user-assigned managed identity to SQL Virtual Machines", + "displayName": "[Preview]: Create and assign a built-in user-assigned managed identity", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy.", - "version": "1.1.0-preview", + "description": "Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.", + "version": "1.2.0-preview", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Security Center", "preview": true }, @@ -16,7 +16,8 @@ "metadata": { "displayName": "Built-In-Identity-RG Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "eastus" }, "effect": { "type": "String", diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json index d83de1304..751bc93c2 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployDefaultWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows machines to create the default Microsoft Defender for SQL workspace", + "displayName": "[Preview]: Configure the Microsoft Defender for SQL Log Analytics workspace", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine.", + "version": "1.0.1-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.0.1-preview", "category": "Security Center", "preview": true }, diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc.json index 808d3195b..10403c46f 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "[Preview]: Configure supported Windows Arc machines to automatically install the Microsoft Defender for SQL agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure supported Windows Arc machines to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).", - "version": "1.0.0-preview", + "description": "Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "version": "1.0.1-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.0.1-preview", "preview": true }, "parameters": { diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json index 4c49135d3..7fe15a893 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure supported Windows SQL virtual machines to automatically install the Microsoft Defender for SQL agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Configure supported Windows SQL virtual machines to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).", - "version": "1.0.0-preview", + "description": "Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "version": "1.1.0-preview", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Security Center", "preview": true }, @@ -27,10 +27,18 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the virtual machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" }, "defaultValue": "" + }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" } }, "policyRule": { @@ -90,6 +98,9 @@ }, "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } }, "template": { @@ -104,6 +115,9 @@ }, "workspaceRegion": { "type": "string" + }, + "userWorkspaceId": { + "type": "string" } }, "variables": { @@ -150,7 +164,7 @@ "locationCode": "[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]", "subscriptionId": "[subscription().subscriptionId]", "defaultRGName": "[concat('DefaultResourceGroup-', variables('locationCode'))]", - "dcrName": "[concat('MicrosoftDefenderForSQL-', variables('actualLocation'), '-dcr')]", + "dcrName": "[if(empty(parameters('userWorkspaceId')), concat('MicrosoftDefenderForSQL-', variables('actualLocation'), '-dcr'), concat('D4SQL-', replace(parameters('userWorkspaceId'), '-', ''), '-dcr'))]", "dcrId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('defaultRGName'), '/providers/Microsoft.Insights/dataCollectionRules/', variables('dcrName'))]", "dcraName": "[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" }, @@ -176,7 +190,7 @@ "name": "[variables('dcraName')]", "apiVersion": "2021-04-01", "properties": { - "description": "Association of data collection rule for Microsoft Defender for SQL. Deleting this association will break the detection of security vulnerabilities for this virtual machine.", + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", "dataCollectionRuleId": "[variables('dcrId')]" } } diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_Arc.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_Arc.json index 942737488..fc008d2c9 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_Arc.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_Arc.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows Arc-enabled machines that contains SQL servers to run Azure Monitor Agent", + "displayName": "[Preview]: Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines that contains SQL servers for collecting telemetry data from the guest OS. Learn more: https://aka.ms/AMAOverview.", - "version": "1.1.0-preview", + "description": "Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.", + "version": "1.1.1-preview", "metadata": { - "version": "1.1.0-preview", + "version": "1.1.1-preview", "category": "Security Center", "preview": true }, diff --git a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_VM.json b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_VM.json index fa2b2b500..c835de09a 100644 --- a/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_VM.json +++ b/built-in-policies/policyDefinitions/Security Center/MDC_DfSQL_DeployWindowsAMA_VM.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure Windows SQL virtual machines to run Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Windows SQL virtual machines for collecting telemetry data from the guest OS. Learn more: https://aka.ms/AMAOverview.", - "version": "1.1.0-preview", + "description": "Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.", + "version": "1.1.1-preview", "metadata": { - "version": "1.1.0-preview", + "version": "1.1.1-preview", "category": "Security Center", "preview": true }, diff --git a/built-in-policies/policyDefinitions/Tags/DenyTag.json b/built-in-policies/policyDefinitions/Tags/DenyTag.json index d69ed8784..2d1478c39 100644 --- a/built-in-policies/policyDefinitions/Tags/DenyTag.json +++ b/built-in-policies/policyDefinitions/Tags/DenyTag.json @@ -1,14 +1,14 @@ { "properties": { - "displayName": "Requires resources to not have a specifc tag.", + "displayName": "Requires resources to not have a specific tag.", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Denies the creation of a resource that contains the given tag. Does not apply to resource groups.", + "description": "Denies the creation of a resource that contains the given tag. Does not apply to resource groups.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Tags" }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "tagName": { "type": "String", diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json index d3e4c70c3..59cd0511d 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace", "policyType": "BuiltIn", - "description": "Configure machines to automatically install the Azure Monitor and Microsoft Defender for SQL agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.1.0-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, "parameters": { @@ -14,11 +14,19 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" }, "defaultValue": "" }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -34,9 +42,10 @@ "builtInIdentityResourceGroupLocation": { "type": "String", "metadata": { - "displayName": "User-Assigned Managed Identity Resource Group", + "displayName": "User-Assigned Managed Identity Resource Group Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "usgovvirginia" } }, "policyDefinitions": [ @@ -62,6 +71,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } }, diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspace.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspace.json index e5756ada3..ec09f2bcb 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspace.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/MDC_DfSQL_AMA_UserWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure machines to create the user-defined Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "policyType": "BuiltIn", - "description": "Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.1.0-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, "parameters": { @@ -14,7 +14,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -22,11 +22,19 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the virtual machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" }, "defaultValue": "" }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -42,9 +50,10 @@ "builtInIdentityResourceGroupLocation": { "type": "String", "metadata": { - "displayName": "User-Assigned Managed Identity Resource Group", + "displayName": "User-Assigned Managed Identity Resource Group Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "usgovvirginia" } }, "policyDefinitions": [ @@ -70,6 +79,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } }, @@ -84,6 +96,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -110,6 +125,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -122,6 +140,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } } diff --git a/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json b/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json index 851e299ee..bcbf95767 100644 --- a/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json +++ b/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_DefaultWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace", "policyType": "BuiltIn", - "description": "Configure machines to automatically install the Azure Monitor and Microsoft Defender for SQL agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.", - "version": "1.1.0-preview", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.", + "version": "1.2.0-preview", "metadata": { "category": "Security Center", - "version": "1.1.0-preview", + "version": "1.2.0-preview", "preview": true }, "parameters": { @@ -14,11 +14,19 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" }, "defaultValue": "" }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -34,9 +42,10 @@ "builtInIdentityResourceGroupLocation": { "type": "String", "metadata": { - "displayName": "User-Assigned Managed Identity Resource Group", + "displayName": "User-Assigned Managed Identity Resource Group Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "eastus" } }, "policyDefinitions": [ @@ -62,6 +71,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } }, diff --git a/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspace.json b/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspace.json index e5756ada3..5070dc473 100644 --- a/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspace.json +++ b/built-in-policies/policySetDefinitions/Security Center/MDC_DfSQL_AMA_UserWorkspace.json @@ -1,12 +1,12 @@ { "properties": { - "displayName": "[Preview]: Configure machines to create the user-defined Microsoft Defender for SQL pipeline using Azure Monitor Agent", + "displayName": "[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "policyType": "BuiltIn", - "description": "Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.", - "version": "1.0.0-preview", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.", + "version": "1.1.0-preview", "metadata": { "category": "Security Center", - "version": "1.0.0-preview", + "version": "1.1.0-preview", "preview": true }, "parameters": { @@ -14,7 +14,7 @@ "type": "String", "metadata": { "displayName": "Workspace Resource Id", - "description": "Select the Log Analytics workspace to which the virtual machines in scope will send their logs. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "omsWorkspace" } }, @@ -22,11 +22,19 @@ "type": "String", "metadata": { "displayName": "Workspace region", - "description": "Region of the Workspace to which the virtual machines in scope will send their logs. Needed to create the Data Collection Rule in the same region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", "strongType": "location" }, "defaultValue": "" }, + "userWorkspaceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Id", + "description": "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule." + }, + "defaultValue": "" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "type": "Boolean", "metadata": { @@ -42,9 +50,10 @@ "builtInIdentityResourceGroupLocation": { "type": "String", "metadata": { - "displayName": "User-Assigned Managed Identity Resource Group", + "displayName": "User-Assigned Managed Identity Resource Group Location", "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy." - } + }, + "defaultValue": "eastus" } }, "policyDefinitions": [ @@ -70,6 +79,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } }, @@ -84,6 +96,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -110,6 +125,9 @@ "workspaceRegion": { "value": "[parameters('workspaceRegion')]" }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" + }, "enableCollectionOfSqlQueriesForSecurityResearch": { "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" } @@ -122,6 +140,9 @@ "parameters": { "workspaceRegion": { "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceId": { + "value": "[parameters('userWorkspaceId')]" } } } diff --git a/built-in-policies/policySetDefinitions/Tags/DenyTag.json b/built-in-policies/policySetDefinitions/Tags/DenyTag.json index 484bfe728..7cd4516d6 100644 --- a/built-in-policies/policySetDefinitions/Tags/DenyTag.json +++ b/built-in-policies/policySetDefinitions/Tags/DenyTag.json @@ -1,13 +1,13 @@ { "properties": { - "displayName": "Ensures resources to not have a specifc tag.", + "displayName": "Ensures resources to not have a specific tag.", "policyType": "BuiltIn", - "description": "Denies the creation of a resource that contains the given tag. Does not apply to resource groups.", + "description": "Denies the creation of a resource that contains the given tag. Does not apply to resource groups.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Tags" }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "tagName": { "type": "String",