{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspace_name": { "type": "String", "metadata": { "description": "Target log analytics workspace name" } }, "workspace_id": { "type": "String", "metadata": { "description": "Target log analytics workspace ID" } }, "workspace_resource_group": { "type": "String", "metadata": { "description": "Target log analytics workspace resource group (default is the same as for the deployment)" }, "defaultValue": "" }, "workspace_region": { "type": "String", "metadata": { "description": "Target log analytics workspace region (default is the same region as the deployment's resource group)" }, "defaultValue": "" } }, "variables": { "workspace_resource_group": "[if(empty(parameters('workspace_resource_group')), resourceGroup().name, parameters('workspace_resource_group'))]", "workspace_region": "[if(empty(parameters('workspace_region')), resourceGroup().location, parameters('workspace_region'))]", "destination_name": "[replace(parameters('workspace_id'), '-', '')]", "dcr_name": "[concat('bn-cef-', guid(parameters('workspace_id'), variables('workspace_region')))]", "dce_name": "[concat('bn-cef-', guid(parameters('workspace_id'), variables('workspace_region')))]", "stream_name": "Custom-BNAZLADCEF_CL" }, "resources": [ { "type": "Microsoft.Insights/dataCollectionEndpoints", "apiVersion": "2023-03-11", "name": "[variables('dce_name')]", "location": "[variables('workspace_region')]", "properties": { "configurationAccess": {}, "logsIngestion": {}, "metricsIngestion": {}, "networkAcls": { "publicNetworkAccess": "Enabled" } } }, { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", "name": "[variables('dcr_name')]", "location": "[variables('workspace_region')]", "dependsOn": [ "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dce_name'))]" ], "properties": { "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dce_name'))]", "streamDeclarations": { "[variables('stream_name')]": { "columns": [ { "name": "Activity", "type": "string" }, { "name": "AdditionalExtensions", "type": "string" }, { "name": "ApplicationProtocol", "type": "string" }, { "name": "CollectorHostName", "type": "string" }, { "name": "CommunicationDirection", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "DestinationDnsDomain", "type": "string" }, { "name": "DestinationHostName", "type": "string" }, { "name": "DestinationIP", "type": "string" }, { "name": "DestinationMACAddress", "type": "string" }, { "name": "DestinationNTDomain", "type": "string" }, { "name": "DestinationPort", "type": "int" }, { "name": "DestinationProcessId", "type": "int" }, { "name": "DestinationProcessName", "type": "string" }, { "name": "DestinationServiceName", "type": "string" }, { "name": "DestinationTranslatedAddress", "type": "string" }, { "name": "DestinationTranslatedPort", "type": "int" }, { "name": "DestinationUserID", "type": "string" }, { "name": "DestinationUserName", "type": "string" }, { "name": "DestinationUserPrivileges", "type": "string" }, { "name": "DeviceAction", "type": "string" }, { "name": "DeviceAddress", "type": "string" }, { "name": "DeviceCustomDate1", "type": "string" }, { "name": "DeviceCustomDate1Label", "type": "string" }, { "name": "DeviceCustomDate2", "type": "string" }, { "name": "DeviceCustomDate2Label", "type": "string" }, { "name": "DeviceCustomFloatingPoint1", "type": "real" }, { "name": "DeviceCustomFloatingPoint1Label", "type": "string" }, { "name": "DeviceCustomFloatingPoint2", "type": "real" }, { "name": "DeviceCustomFloatingPoint2Label", "type": "string" }, { "name": "DeviceCustomFloatingPoint3", "type": "real" }, { "name": "DeviceCustomFloatingPoint3Label", "type": "string" }, { "name": "DeviceCustomFloatingPoint4", "type": "real" }, { "name": "DeviceCustomFloatingPoint4Label", "type": "string" }, { "name": "DeviceCustomIPv6Address1", "type": "string" }, { "name": "DeviceCustomIPv6Address1Label", "type": "string" }, { "name": "DeviceCustomIPv6Address2", "type": "string" }, { "name": "DeviceCustomIPv6Address2Label", "type": "string" }, { "name": "DeviceCustomIPv6Address3", "type": "string" }, { "name": "DeviceCustomIPv6Address3Label", "type": "string" }, { "name": "DeviceCustomIPv6Address4", "type": "string" }, { "name": "DeviceCustomIPv6Address4Label", "type": "string" }, { "name": "DeviceCustomNumber1", "type": "int" }, { "name": "DeviceCustomNumber1Label", "type": "string" }, { "name": "DeviceCustomNumber2", "type": "int" }, { "name": "DeviceCustomNumber2Label", "type": "string" }, { "name": "DeviceCustomNumber3", "type": "int" }, { "name": "DeviceCustomNumber3Label", "type": "string" }, { "name": "DeviceCustomString1", "type": "string" }, { "name": "DeviceCustomString1Label", "type": "string" }, { "name": "DeviceCustomString2", "type": "string" }, { "name": "DeviceCustomString2Label", "type": "string" }, { "name": "DeviceCustomString3", "type": "string" }, { "name": "DeviceCustomString3Label", "type": "string" }, { "name": "DeviceCustomString4", "type": "string" }, { "name": "DeviceCustomString4Label", "type": "string" }, { "name": "DeviceCustomString5", "type": "string" }, { "name": "DeviceCustomString5Label", "type": "string" }, { "name": "DeviceCustomString6", "type": "string" }, { "name": "DeviceCustomString6Label", "type": "string" }, { "name": "DeviceDnsDomain", "type": "string" }, { "name": "DeviceEventCategory", "type": "string" }, { "name": "DeviceEventClassID", "type": "string" }, { "name": "DeviceExternalID", "type": "string" }, { "name": "DeviceFacility", "type": "string" }, { "name": "DeviceInboundInterface", "type": "string" }, { "name": "DeviceMacAddress", "type": "string" }, { "name": "DeviceName", "type": "string" }, { "name": "DeviceNtDomain", "type": "string" }, { "name": "DeviceOutboundInterface", "type": "string" }, { "name": "DevicePayloadId", "type": "string" }, { "name": "DeviceProduct", "type": "string" }, { "name": "DeviceTimeZone", "type": "string" }, { "name": "DeviceTranslatedAddress", "type": "string" }, { "name": "DeviceVendor", "type": "string" }, { "name": "DeviceVersion", "type": "string" }, { "name": "EndTime", "type": "datetime" }, { "name": "EventCount", "type": "int" }, { "name": "EventOutcome", "type": "string" }, { "name": "EventType", "type": "int" }, { "name": "ExternalID", "type": "int" }, { "name": "ExtID", "type": "string" }, { "name": "FieldDeviceCustomNumber1", "type": "long" }, { "name": "FieldDeviceCustomNumber2", "type": "long" }, { "name": "FieldDeviceCustomNumber3", "type": "long" }, { "name": "FileCreateTime", "type": "string" }, { "name": "FileHash", "type": "string" }, { "name": "FileID", "type": "string" }, { "name": "FileModificationTime", "type": "string" }, { "name": "FileName", "type": "string" }, { "name": "FilePath", "type": "string" }, { "name": "FilePermission", "type": "string" }, { "name": "FileSize", "type": "int" }, { "name": "FileType", "type": "string" }, { "name": "FlexDate1", "type": "string" }, { "name": "FlexDate1Label", "type": "string" }, { "name": "FlexNumber1", "type": "int" }, { "name": "FlexNumber1Label", "type": "string" }, { "name": "FlexNumber2", "type": "int" }, { "name": "FlexNumber2Label", "type": "string" }, { "name": "FlexString1", "type": "string" }, { "name": "FlexString1Label", "type": "string" }, { "name": "FlexString2", "type": "string" }, { "name": "FlexString2Label", "type": "string" }, { "name": "IndicatorThreatType", "type": "string" }, { "name": "LogSeverity", "type": "string" }, { "name": "MaliciousIP", "type": "string" }, { "name": "MaliciousIPCountry", "type": "string" }, { "name": "MaliciousIPLatitude", "type": "real" }, { "name": "MaliciousIPLongitude", "type": "real" }, { "name": "Message", "type": "string" }, { "name": "OldFileCreateTime", "type": "string" }, { "name": "OldFileHash", "type": "string" }, { "name": "OldFileID", "type": "string" }, { "name": "OldFileModificationTime", "type": "string" }, { "name": "OldFileName", "type": "string" }, { "name": "OldFilePath", "type": "string" }, { "name": "OldFilePermission", "type": "string" }, { "name": "OldFileSize", "type": "int" }, { "name": "OldFileType", "type": "string" }, { "name": "OriginalLogSeverity", "type": "string" }, { "name": "ProcessID", "type": "int" }, { "name": "ProcessName", "type": "string" }, { "name": "Protocol", "type": "string" }, { "name": "Reason", "type": "string" }, { "name": "ReceiptTime", "type": "string" }, { "name": "ReceivedBytes", "type": "long" }, { "name": "RemoteIP", "type": "string" }, { "name": "RemotePort", "type": "string" }, { "name": "ReportReferenceLink", "type": "string" }, { "name": "RequestClientApplication", "type": "string" }, { "name": "RequestContext", "type": "string" }, { "name": "RequestCookies", "type": "string" }, { "name": "RequestMethod", "type": "string" }, { "name": "RequestURL", "type": "string" }, { "name": "SentBytes", "type": "long" }, { "name": "SimplifiedDeviceAction", "type": "string" }, { "name": "SourceDnsDomain", "type": "string" }, { "name": "SourceHostName", "type": "string" }, { "name": "SourceIP", "type": "string" }, { "name": "SourceMACAddress", "type": "string" }, { "name": "SourceNTDomain", "type": "string" }, { "name": "SourcePort", "type": "int" }, { "name": "SourceProcessId", "type": "int" }, { "name": "SourceProcessName", "type": "string" }, { "name": "SourceServiceName", "type": "string" }, { "name": "SourceSystem", "type": "string" }, { "name": "SourceTranslatedAddress", "type": "string" }, { "name": "SourceTranslatedPort", "type": "int" }, { "name": "SourceUserID", "type": "string" }, { "name": "SourceUserName", "type": "string" }, { "name": "SourceUserPrivileges", "type": "string" }, { "name": "StartTime", "type": "datetime" }, { "name": "ThreatConfidence", "type": "string" }, { "name": "ThreatDescription", "type": "string" }, { "name": "ThreatSeverity", "type": "int" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "Type", "type": "string" } ] } }, "dataSources": {}, "destinations": { "logAnalytics": [ { "workspaceResourceId": "[resourceId(variables('workspace_resource_group'), 'Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]", "name": "[variables('destination_name')]" } ] }, "dataFlows": [ { "streams": [ "[variables('stream_name')]" ], "destinations": [ "[variables('destination_name')]" ], "transformKql": "source", "outputStream": "Microsoft-CommonSecurityLog" } ] } } ], "outputs": { "dcr_immutable_id": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', variables('dcr_name'))).immutableId]" }, "dcr_stream": { "type": "string", "value": "[variables('stream_name')]" }, "dcr_endpoint_log_ingestion_uri": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dce_name'))).logsIngestion.endpoint]" } } }