{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspaceName": { "type": "string", "defaultValue": "MSSen2Go", "metadata": { "description": "Name for the Log Analytics workspace used to aggregate data. If this is a new LA workspace, the template will add a unique string to the name you choose. If you are using an existing LA workspace, the name will not change and will be passed as is to the resources in the template." } }, "workspaceId": { "type": "string", "defaultValue": "", "metadata": { "description": "Your own existing log analytics workspace ID. Leave it empty if you are deploying a new LA workspace." } }, "workspaceKey": { "type": "string", "defaultValue": "", "metadata": { "description": "Your own existing log analytics workspace key. Leave it empty if you are deploying a new LA workspace." } }, "pricingTier": { "type": "string", "allowedValues": [ "PerGB2018", "Free", "Standalone", "PerNode", "Standard", "Premium" ], "defaultValue": "PerGB2018", "metadata": { "description": "Pricing tier: pergb2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers." } }, "dataRetention": { "type": "int", "defaultValue": 30, "minValue": 7, "maxValue": 730, "metadata": { "description": "Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days." } }, "immediatePurgeDataOn30Days": { "type": "bool", "defaultValue": true, "metadata": { "description": "If set to true when changing retention to 30 days, older data will be immediately deleted. Use this with extreme caution. This only applies when retention is being set to 30 days." } }, "adminUsername": { "type": "string", "metadata": { "description": "Admin username for all Windows virtual machines." } }, "adminPassword": { "type": "securestring", "metadata": { "description": "Password for the all Windows virtual machines. The password must be at least 8 characters in length and must contain at least one digit, one non-alphanumeric character, and one upper or lower case letter" }, "minLength": 12 }, "remoteAccessMode": { "type": "string", "defaultValue": "AllowPublicIP", "allowedValues": [ "AllowPublicIP", "AzureBastionHost" ], "metadata": { "description": "Do you want to restrict access to your environment by a Public IP or set up an Azure Bastion Host. If the former, make sure you add your public IP address to the variable 'allowedIPAddresses'" } }, "allowedIPAddresses": { "type": "string", "metadata": { "description": "The sourceAddressPrefixes allowed to connect to all the VMs in this deployment" } }, "numberOfWorkstations": { "type": "int", "defaultValue": 1, "minValue": 1, "maxValue": 10, "metadata": { "description": "Number of Windows 10 virtual machines to deploy" } }, "vmNamePrefix": { "type": "string", "defaultValue": "WORKSTATION", "metadata": { "description": "Prefix for the name of your virtual machine. Template will add a number starting from 5." } }, "windowsDesktopSKU": { "type": "string", "defaultValue": "19h2-pro", "allowedValues": [ "19h1-pro", "19h2-pro", "rs4-pro", "rs5-pro" ], "metadata": { "description": "The Windows version for the Desktop VM. This will pick a fully patched image of this given Windows version." } }, "vmSize": { "type": "string", "defaultValue": "Standard_B2s", "allowedValues": [ "Standard_A2", "Standard_A3", "Standard_B2s", "Standard_B2ms", "Standard_A2_v2", "Standard_A4_v2" ], "metadata": { "description": "Size of the virtual machine. Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/sizes-general" } }, "enableSysmon": { "type": "bool", "defaultValue": false, "metadata": { "description": "Do you want to install Sysmon on the endpoint?" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } } }, "variables": { "artifactsBlacksmith": "https://raw.githubusercontent.com/OTRF/Blacksmith/master/", "artifactsMicrosoftSentinel2Go": "https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/", "sysmonWindowsParserPackTemplate": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json", "dataCollectionRuleName": "WindowsDCR", "dataSources": { "windowsEventLogs": [ { "name": "eventLogsDataSource", "scheduledTransferPeriod": "PT5M", "streams": [ "Microsoft-SecurityEvent" ], "xPathQueries": [ "Security!*[System[(EventID=4624)]]" ] } ] }, "dataFlows": [ { "streams": [ "Microsoft-SecurityEvent" ], "destinations": [ "WindowsEvents" ] } ], "asimParsers": [ "ASimWindowsEvents", "ASimWindowsSysmon" ] }, "resources": [ { "condition": "[and(empty(parameters('workspaceId')),empty(parameters('workspaceKey')))]", "name": "deployMSSentinel2Go", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "properties": { "mode": "Incremental", "templateLink": { "uri": "[uri(variables('artifactsMicrosoftSentinel2Go'),'microsoft-sentinel/azuredeploy.json')]", "contentVersion": "1.0.0.0" }, "parameters": { "workspaceName": { "value": "[parameters('workspaceName')]" }, "pricingTier": { "value": "[parameters('pricingTier')]" }, "dataRetention": { "value": "[parameters('dataRetention')]" }, "immediatePurgeDataOn30Days": { "value": "[parameters('immediatePurgeDataOn30Days')]" }, "enableLAFunctions": { "value": "[variables('asimParsers')]" } } } }, { "name": "createDataCollectionRules", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "dependsOn": [ "deployMSSentinel2Go" ], "properties": { "mode": "Incremental", "templateLink": { "uri": "[uri(variables('artifactsMicrosoftSentinel2Go'), 'microsoft-sentinel/linkedtemplates/data-collection-rules/creation-azureresource.json')]", "contentVersion": "1.0.0.0" }, "parameters": { "ruleName": { "value": "[variables('dataCollectionRuleName')]" }, "dataSources": { "value": "[variables('dataSources')]" }, "destinations": { "value": { "logAnalytics": [ { "name": "WindowsEvents", "workspaceId": "[if(empty(parameters('workspaceId')), reference('deployMSSentinel2Go').outputs.workspaceIdOutput.value, parameters('workspaceId'))]", "workspaceResourceId": "[if(empty(parameters('workspaceId')), reference('deployMSSentinel2Go').outputs.workspaceResourceIdOutput.value, parameters('workspaceId'))]" } ] } }, "dataFlows": { "value": "[variables('dataFlows')]" }, "tagsArray": { "value": { "createdBy": "Sentinel" } } } } }, { "name": "deployWin10VM", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", "properties": { "mode": "Incremental", "templateLink": { "uri": "[uri(variables('artifactsBlacksmith'), 'templates/azure/Win10/demos/Win10-201.json')]", "contentVersion": "1.0.0.0" }, "parameters": { "adminUsername": { "value": "[parameters('adminUsername')]" }, "adminPassword": { "value": "[parameters('adminPassword')]" }, "numberOfWorkstations": { "value": "[parameters('numberOfWorkstations')]" }, "vmNamePrefix": { "value": "[parameters('vmNamePrefix')]" }, "windowsDesktopSKU": { "value": "[parameters('windowsDesktopSKU')]" }, "vmSize": { "value": "[parameters('vmSize')]" }, "identityType": { "value": "SystemAssigned" }, "remoteAccessMode": { "value": "[parameters('remoteAccessMode')]" }, "allowedIPAddresses": { "value": "[parameters('allowedIPAddresses')]" }, "enableSysmon": { "value": "[parameters('enableSysmon')]" }, "location": { "value": "[parameters('location')]" } } } }, { "name": "installAzureMonitorAgent", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "dependsOn": [ "deployMSSentinel2Go", "deployWin10VM" ], "properties": { "mode": "Incremental", "templateLink": { "uri": "[uri(variables('artifactsBlacksmith'), 'templates/azure/Azure-Monitor-Agents/windows.json')]", "contentVersion": "1.0.0.0" }, "parameters": { "virtualMachines": { "value": "[reference('deployWin10VM').outputs.allWinVMsDeployed.value]" }, "monitorAgent": { "value": "Azure Monitor Agent" } } } }, { "name": "associateWindowsDCR", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "dependsOn": [ "createDataCollectionRules", "installAzureMonitorAgent" ], "properties": { "mode": "Incremental", "templateLink": { "uri": "[uri(variables('artifactsMicrosoftSentinel2Go'), 'microsoft-sentinel/linkedtemplates/data-collection-rules/association.json')]", "contentVersion": "1.0.0.0" }, "parameters": { "virtualMachines": { "value": "[reference('deployWin10VM').outputs.allWinVMsDeployed.value]" }, "dataCollectionRuleId": { "value": "[reference('createDataCollectionRules').outputs.dataCollectionRuleId.value]" }, "dataCollectionRuleName": { "value": "[variables('dataCollectionRuleName')]" } } } } ], "outputs": {} }