I got a question from a reader asking if there is any ARM template for Azure Security Center and what are common use cases for such an ARM template.
In this article, let’s explore the ARM template for Azure Security primarily focusing on pricing tier and settings, as well as common scenarios.
TL;DR: You can skip this article and use template from here for deploying Azure Security Center for your subscription https://github.com/azsec/scaf-azure-arm-templates/tree/master/AzureSecurityCenter
There are some common scenarios in which you would like to include Azure Security Center ARM template in your deployment. When you create a new subscription (within your CICD pipeline) you would need to enable Azure Security Center Standard plan for common resource types including Virtual Machine, App Service, Storage Account. Moreover, if you plan to manage all subscriptions you would like to set email notification to send to a distribution group email. Another common need is to configure Azure Security Center to write all its collected data to a single Log Analytics workspace so you could connect your Azure Sentinel to it.
Another scenario is to bundle Azure Security Center into Azure Blueprint. This one would be considered an Update activity in order to set Azure Security Center to designated state (e.g. Pricing tier, Email notification..). When a blueprint definition is assigned to a target subscription, designated Azure Security Center settings will be applied.
Azure ARM Template
For ARM template, there shouldn’t be a big deal. As long as you supply to Azure supported resource type as well as API version you should be fine.
Below is where the template supports:
- Pricing Tier for the following resource types:
- Virtual Machine
- App Service
- PaaS SQL Service
- SQl Server on VM
- Storage Account
- Container Registry
- Key Vault – preview (not reflected in Azure Portal UI)
- Auto Provisioning Setting
- Data Collection – Log Analytics Workspace
- Email Notification
If you want to test manually, run the following PowerShell script
New-AzDeployment -TemplateFile .\azuredeploy.json `
-TemplateParameterFile .\azuredeploy.parameters.json `
-location westus -Verbose
Note that the cmdlet is New-AzDeployment to deploy Azure Security Center at subscription scope. It is unlike New-AzResourceGroupDeployment to deploy against resource group scope.
If you would like to deploy Azure Security Center in form of Azure Blueprint, refer to this article https://azsec.azurewebsites.net/2019/12/30/deploy-azure-security-center-blueprint/