Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating Microsoft Defender for Endpoints to use new initiative #1639

Merged
merged 9 commits into from
May 21, 2024
3 changes: 2 additions & 1 deletion docs/wiki/ALZ-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ This management group is a parent to all the other management groups created wit

| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **12** |
| `Policy Definition Sets` | **13** |
| `Policy Definitions` | **3** |
</td></tr> </table>

Expand All @@ -77,6 +77,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- |
| **Deploy Microsoft Defender for Cloud configuration** | **Deploy Microsoft Defender for Cloud configuration** | `Policy Definition Set`, **Custom** | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists |
| **[Preview]: Deploy Microsoft Defender for Endpoint agent** | **[Preview]: Deploy Microsoft Defender for Endpoint agent** | `Policy Definition Set`, **Built-in** | Deploy Microsoft Defender for Endpoint agent on applicable images. | DeployIfNotExists |
| **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | `Policy Definition Set`, **Built-in** | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud images. | DeployIfNotExists |
| **Deploy-Resource-Diag** | **Deploy Diagnostic Settings to Azure Services** | `Policy Definition Set`, **Custom** | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. | DeployIfNotExists |
| **Enable Monitoring in Azure Security Center** | **Azure Security Benchmark** | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled |
| **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | `Policy Definition Set`, **Built-in** | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
Expand Down
1 change: 1 addition & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ This release includes:
- Deprecated custom policy [Storage Account set to minimum TLS and Secure transfer should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html) and replaced with two built-in policies [Secure transfer to storage accounts should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html) and [Storage accounts should have the specified minimum TLS version](https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html).
- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future.
- Deprecated [Deploy-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit.html) initiative and superseded with [Deploy-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit_20240509.html) to minimize breaking change impact on existing deployments.
- Added new initiative for Microsoft Defender for Endpoints [Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html).

### May 2024

Expand Down
Binary file modified docs/wiki/media/ALZ Policy Assignments v2.xlsx
Binary file not shown.
29 changes: 29 additions & 0 deletions eslzArm/eslzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -1431,6 +1431,7 @@
"activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]",
"mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]",
"mdEnpointsPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json')]",
"mdEnpointsAMAPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json')]",
"atpOssDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json')]",
"atpSqlDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json')]",
"azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]",
Expand Down Expand Up @@ -1594,6 +1595,7 @@
"identityPeeringDeploymentName": "[take(concat('alz-IDPeering', variables('deploymentSuffix')), 64)]",
"identityVwanPeeringDeploymentName": "[take(concat('alz-IDVwanPeering', variables('deploymentSuffix')), 64)]",
"mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]",
"mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]",
"corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]",
"pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -4286,6 +4288,33 @@
}
}
},
{
// Assigning NEW Microsoft Defender for Endpoints policy initiative to intermediate root management group if condition is true: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html
"condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').mdEndpointsAMADeploymentName]",
"scope": "[variables('scopes').eslzRootManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').mdEnpointsAMAPolicyInitiative]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"enforcementMode": {
"value": "[if(equals(parameters('enableMDEndpoints'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]"
}
}
}
},
{
// Assigning Deny Classic Resource Creation policy to intermediate root management group if condition is true
"condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), not(equals(parameters('denyClassicResources'), 'No')))]",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"nonComplianceMessagePlaceholder": {
"type": "string",
"defaultValue": "{enforcementMode}"
}
},
"variables": {
"policyDefinitions": {
"deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3"
},
"policyAssignmentNames": {
"azureSecurityMDE": "Deploy-MDEndpointsAMA",
"description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.",
"displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud"
},
"nonComplianceMessage": {
"message": "Microsoft Defender for Endpoint {enforcementMode} be deployed.",
"Default": "must",
"DoNotEnforce": "should"
},
"rbacSecurityAdmin": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"roleAssignmentNames": {
"deployMDEndpoints": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurityMDE))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "[variables('policyAssignmentNames').azureSecurityMDE]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
"message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
}
],
"parameters": {}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployMDEndpoints]",
"dependsOn": [
"[variables('policyAssignmentNames').azureSecurityMDE]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSecurityAdmin'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurityMDE), '2019-09-01', 'Full' ).identity.principalId)]"
}
}

jtracey93 marked this conversation as resolved.
Show resolved Hide resolved
],
"outputs": {}
}
Springstone marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -100,4 +100,4 @@

],
"outputs": {}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.170.59819",
"templateHash": "13451262239429884907"
"version": "0.27.1.19265",
"templateHash": "4240589668480368574"
}
},
"parameters": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.170.59819",
"templateHash": "5596430806947036060"
"version": "0.27.1.19265",
"templateHash": "11881608856832126182"
}
},
"parameters": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.170.59819",
"templateHash": "15078790678402765486"
"version": "0.27.1.19265",
"templateHash": "17304419402677227150"
}
},
"variables": {
Expand Down
Loading