Azure Security Center ARM Template

I got a question from a reader asking if there is any ARM template for Azure Security Center and what are common use cases for such an ARM template.

In this article, let’s explore the ARM template for Azure Security primarily focusing on pricing tier and settings, as well as common scenarios.

TL;DR: You can skip this article and use template from here for deploying Azure Security Center for your subscription https://github.com/azsec/scaf-azure-arm-templates/tree/master/AzureSecurityCenter

Common Scenarios

There are some common scenarios in which you would like to include Azure Security Center ARM template in your deployment. When you create a new subscription (within your CICD pipeline) you would need to enable Azure Security Center Standard plan for common resource types including Virtual Machine, App Service, Storage Account. Moreover, if you plan to manage all subscriptions you would like to set email notification to send to a distribution group email. Another common need is to configure Azure Security Center to write all its collected data to a single Log Analytics workspace so you could connect your Azure Sentinel to it.

Collect ASC data from different subscriptions to one Log Analytics workspace

Another scenario is to bundle Azure Security Center into Azure Blueprint. This one would be considered an Update activity in order to set Azure Security Center to designated state (e.g. Pricing tier, Email notification..). When a blueprint definition is assigned to a target subscription, designated Azure Security Center  settings will be applied.

Azure ARM Template

For ARM template, there shouldn’t be a big deal. As long as you supply to Azure supported resource type as well as API version you should be fine.

Below is where the template supports:

  • Pricing Tier for the following resource types:
    • Virtual Machine
    • App Service
    • PaaS SQL Service
    • SQl Server on VM
    • Storage Account
    • Kubernetes
    • Container Registry
    • Key Vault – preview (not reflected in Azure Portal UI)
  • Auto Provisioning Setting
  • Data Collection – Log Analytics Workspace
  • Email Notification

If you want to test manually, run the following PowerShell script

Note that the cmdlet is New-AzDeployment  to deploy Azure Security Center at subscription scope. It is unlike New-AzResourceGroupDeployment  to deploy against resource group scope.

If you would like to deploy Azure Security Center in form of Azure Blueprint, refer to this article https://azsec.azurewebsites.net/2019/12/30/deploy-azure-security-center-blueprint/

This entry was posted in Azure Security Center, Security Automation and tagged . Bookmark the permalink.

2 Responses to Azure Security Center ARM Template

  1. AzureSmit PFE says:

    That is very valuable sharing and exactly what I’m looking for. Thank you very much for your time contributing.

  2. Pingback: Deploy Azure Security Center Blueprint - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

Leave a Reply