509 строки
20 KiB
JSON
509 строки
20 KiB
JSON
{
|
|
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"workspaceRegion": {
|
|
"type": "string",
|
|
"metadata": {
|
|
"description": "The region that log analytics is deployed to."
|
|
},
|
|
"allowedValues": [
|
|
"australiaeast",
|
|
"australiasoutheast"
|
|
]
|
|
},
|
|
"workspaceResourceId": {
|
|
"type": "string",
|
|
"metadata": {
|
|
"description": "The Log Analytics Workspace where any data sources will be directed."
|
|
}
|
|
}
|
|
},
|
|
"variables": {
|
|
"workspaceName": "[split(parameters('workspaceResourceId'),'/')[8]]",
|
|
"changeTrackingResourceName": "[concat('ChangeTracking(', variables('workspaceName'), ')')]",
|
|
"securityResourceName": "[concat('Security(', variables('workspaceName'), ')')]",
|
|
"securityCenterFreeResourceName": "[concat('SecurityCenterFree(', variables('workspaceName'), ')')]",
|
|
"updatesResourceName": "[concat('Updates(', variables('workspaceName'), ')')]",
|
|
"vminsightsResourceName": "[concat('VMInsights(', variables('workspaceName'), ')')]"
|
|
},
|
|
"resources": [
|
|
{
|
|
"apiVersion": "2015-11-01-preview",
|
|
"type": "Microsoft.OperationsManagement/solutions",
|
|
"name": "[variables('changeTrackingResourceName')]",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]"
|
|
},
|
|
"plan": {
|
|
"name": "[concat('ChangeTracking(', variables('workspaceName'), ')')]",
|
|
"product": "OMSGallery/ChangeTracking",
|
|
"promotionCode": "",
|
|
"publisher": "Microsoft"
|
|
}
|
|
},
|
|
{
|
|
//Enable Azure Defender for Servers on Log Analytics workspace
|
|
"type": "Microsoft.OperationsManagement/solutions",
|
|
"apiVersion": "2015-11-01-preview",
|
|
"name": "[variables('securityResourceName')]",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"plan": {
|
|
"name": "[variables('securityResourceName')]",
|
|
"promotionCode": "",
|
|
"product": "OMSGallery/Security",
|
|
"publisher": "Microsoft"
|
|
},
|
|
"properties": {
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]"
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.OperationsManagement/solutions",
|
|
"apiVersion": "2015-11-01-preview",
|
|
"name": "[variables('securityCenterFreeResourceName')]",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"plan": {
|
|
"name": "[variables('securityCenterFreeResourceName')]",
|
|
"promotionCode": "",
|
|
"product": "OMSGallery/SecurityCenterFree",
|
|
"publisher": "Microsoft"
|
|
},
|
|
"properties": {
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]"
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2015-11-01-preview",
|
|
"type": "Microsoft.OperationsManagement/solutions",
|
|
"name": "[variables('updatesResourceName')]",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"plan": {
|
|
"name": "[variables('updatesResourceName')]",
|
|
"promotionCode": "",
|
|
"product": "OMSGallery/Updates",
|
|
"publisher": "Microsoft"
|
|
},
|
|
"properties": {
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]"
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2015-11-01-preview",
|
|
"type": "Microsoft.OperationsManagement/solutions",
|
|
"name": "[variables('vminsightsResourceName')]",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"plan": {
|
|
"name": "[variables('vminsightsResourceName')]",
|
|
"promotionCode": "",
|
|
"product": "OMSGallery/VMInsights",
|
|
"publisher": "Microsoft"
|
|
},
|
|
"properties": {
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]"
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2020-08-01",
|
|
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
|
|
"name": "[concat(variables('workspaceName'),'/','ChangeTrackingDefaultRegistry_IPv6 Setting')]",
|
|
"dependsOn":[
|
|
"[resourceId('Microsoft.OperationsManagement/solutions', variables('changeTrackingResourceName'))]"
|
|
],
|
|
"properties": {
|
|
"enabled": "True",
|
|
"keyName": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters",
|
|
"valueName": "",
|
|
"recurse": "False",
|
|
"groupTag": "Custom"
|
|
},
|
|
"kind": "ChangeTrackingDefaultRegistry"
|
|
},
|
|
{
|
|
"apiVersion": "2020-08-01",
|
|
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
|
|
"name": "[concat(variables('workspaceName'),'/','ChangeTrackingDefaultRegistry_LSA Setting')]",
|
|
"dependsOn":[
|
|
"[resourceId('Microsoft.OperationsManagement/solutions', variables('changeTrackingResourceName'))]"
|
|
],
|
|
"properties": {
|
|
"enabled": "True",
|
|
"keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa",
|
|
"valueName": "",
|
|
"recurse": "False",
|
|
"groupTag": "Custom"
|
|
},
|
|
"kind": "ChangeTrackingDefaultRegistry"
|
|
},
|
|
{
|
|
"apiVersion": "2020-08-01",
|
|
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
|
|
"name": "[concat(variables('workspaceName'),'/','ChangeTrackingDefaultRegistry_WindowsNtCurrentVersion')]",
|
|
"dependsOn":[
|
|
"[resourceId('Microsoft.OperationsManagement/solutions', variables('changeTrackingResourceName'))]"
|
|
],
|
|
"properties": {
|
|
"enabled": "True",
|
|
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
|
|
"valueName": "",
|
|
"recurse": "False",
|
|
"groupTag": "Custom"
|
|
},
|
|
"kind": "ChangeTrackingDefaultRegistry"
|
|
},
|
|
{
|
|
//Set Log Analytics workspace to collect common security events
|
|
"apiVersion": "2020-08-01",
|
|
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
|
|
"name": "[concat(variables('workspaceName'),'/SecurityEventCollectionConfiguration')]",
|
|
"kind": "SecurityEventCollectionConfiguration",
|
|
"properties": {
|
|
"tier": "Recommended",
|
|
"tierSetMethod": "Custom"
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-AccountLockoutEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Security!*[System[((EventID=4625))]]", //Failed logins
|
|
"Security!*[System[((EventID=4740))]]" //Lockout
|
|
],
|
|
"name": "AccountLockoutEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-ASREvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1121 and EventID <= 1122))]]",
|
|
"Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1121 and EventID <= 1122))]]"
|
|
],
|
|
"name": "ASREvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-NTLMEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Microsoft-Windows-NTLM/Operational!*[System[((EventID >= 8001 and EventID <= 8004))]]"
|
|
],
|
|
"name": "NTLMEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-ExploitProtectionEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Microsoft-Windows-Security-Mitigations/KernelMode!*[System[((EventID >= 1 and EventID <= 24))]]",
|
|
"Microsoft-Windows-Security-Mitigations/UserMode!*[System[((EventID >= 1 and EventID <= 24))]]",
|
|
"Microsoft-Windows-Win32k/Operational!*[System[((EventID=260))]]",
|
|
"System!*[System[Provider[@Name='Microsoft-Windows-WER-Diag'] and (EventID=5)]]"
|
|
],
|
|
"name": "ExploitProtectionEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-IPsecEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Security!*[System[((EventID >= 4650 and EventID <= 4651))]]", //Main mode security associations
|
|
"Security!*[System[((EventID=5451))]]" //Quick mode security associations
|
|
],
|
|
"name": "IPsecEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-NetworkProtectionEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Microsoft-Windows-Windows Defender/Operational!*[System[((EventID >= 1125 and EventID <= 1126))]]",
|
|
"Microsoft-Windows-Windows Defender/WHC!*[System[((EventID >= 1125 and EventID <= 1126))]]"
|
|
],
|
|
"name": "NetworkProtectionEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-SChannelEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"System!*[System[((EventID=36880))]]"
|
|
],
|
|
"name": "SChannelEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"apiVersion": "2021-04-01",
|
|
"type": "Microsoft.Insights/dataCollectionRules",
|
|
"name": "DCR-WDACEvents",
|
|
"kind": "Windows",
|
|
"location": "[parameters('workspaceRegion')]",
|
|
"properties": {
|
|
"dataSources": {
|
|
"windowsEventLogs": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"xPathQueries": [
|
|
"Microsoft-Windows-CodeIntegrity/Operational!*[System[((EventID=3077 or EventID=3092 or EventID=3099))]]"
|
|
],
|
|
"name": "WDACEvents"
|
|
}
|
|
]
|
|
},
|
|
"destinations": {
|
|
"logAnalytics": [
|
|
{
|
|
"workspaceResourceId": "[parameters('workspaceResourceId')]",
|
|
"name": "[variables('workspaceName')]"
|
|
}
|
|
]
|
|
},
|
|
"dataFlows": [
|
|
{
|
|
"streams": [
|
|
"Microsoft-Event"
|
|
],
|
|
"destinations": [
|
|
"[variables('workspaceName')]"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"outputs": {
|
|
"dataCollectionRuleResourceIds":{
|
|
"type": "object",
|
|
"value": {
|
|
"DCR-AccountLockoutEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-AccountLockoutEvents')]",
|
|
"DCR-ASREvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ASREvents')]",
|
|
"DCR-NTLMEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NTLMEvents')]",
|
|
"DCR-ExploitProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-ExploitProtectionEvents')]",
|
|
"DCR-IPsecEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-IPsecEvents')]",
|
|
"DCR-NetworkProtectionEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-NetworkProtectionEvents')]",
|
|
"DCR-SChannelEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-SChannelEvents')]",
|
|
"DCR-WDACEvents": "[resourceId('Microsoft.Insights/dataCollectionRules','DCR-WDACEvents')]"
|
|
}
|
|
}
|
|
}
|
|
} |