Azure 3 min read

How to Configure the Security Center via Azure Resource Manager (ARM) Template

Michael Wu ·

There is no “Export template” option in the Security Center of Azure Portal so I compiled the templates as a reference. These templates can be used through subscription-level deployments.

Microsoft uses different names for the configurations. For example, the Azure Defender setting uses the Microsoft.Security/pricings resource type.

Azure Defender Plans

Uses Microsoft.Security/pricings to enable Standard tier protection:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "VirtualMachines",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "AppServices",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "SqlServers",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "StorageAccounts",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "KubernetesService",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "ContainerRegistry",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "KeyVaults",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "Arm",
      "properties": {
        "pricingTier": "Standard"
      }
    },
    {
      "type": "Microsoft.Security/pricings",
      "apiVersion": "2018-06-01",
      "name": "Dns",
      "properties": {
        "pricingTier": "Standard"
      }
    }
  ]
}

Auto Provisioning

Enable Log Analytics agent auto-provisioning on Azure VMs:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Security/autoProvisioningSettings",
      "apiVersion": "2017-08-01-preview",
      "name": "default",
      "properties": {
        "autoProvision": "On"
      }
    }
  ]
}

Email Notifications

Configure Security Center alert email notifications:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "emailAddress": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Security/securityContacts",
      "apiVersion": "2020-01-01-preview",
      "name": "default",
      "properties": {
        "emails": "[parameters('emailAddress')]",
        "alertNotifications": {
          "state": "On",
          "minimalSeverity": "High"
        },
        "notificationsByRole": {
          "state": "On",
          "roles": ["Owner"]
        }
      }
    }
  ]
}

Continuous Export

Export to Event Hub

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "eventHubConnectionString": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Security/automations",
      "apiVersion": "2019-01-01-preview",
      "name": "ExportToEventHub",
      "location": "[resourceGroup().location]",
      "properties": {
        "isEnabled": true,
        "scopes": [
          {
            "scopePath": "[subscription().id]"
          }
        ],
        "sources": [
          {
            "eventSource": "Alerts"
          }
        ],
        "actions": [
          {
            "actionType": "EventHub",
            "eventHubResourceId": "[parameters('eventHubConnectionString')]"
          }
        ]
      }
    }
  ]
}

Export to Log Analytics Workspace

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceResourceId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Security/automations",
      "apiVersion": "2019-01-01-preview",
      "name": "ExportToWorkspace",
      "location": "[resourceGroup().location]",
      "properties": {
        "isEnabled": true,
        "scopes": [
          {
            "scopePath": "[subscription().id]"
          }
        ],
        "sources": [
          {
            "eventSource": "Assessments"
          },
          {
            "eventSource": "SecureScores"
          }
        ],
        "actions": [
          {
            "actionType": "Workspace",
            "workspaceResourceId": "[parameters('workspaceResourceId')]"
          }
        ]
      }
    }
  ]
}

References

#ARM Templates #Security Center #Azure Defender
← Back to all posts