Bicep Templates
The Microsoft Sentinel Data Collection Rules (DCR) Bicep templates in Director offer Infrastructure as Code (IaC) solutions for deploying standardized monitoring configurations. They enable automated and consistent deployment of DCR across different Azure environments, making it easier to manage and scale your monitoring infrastructure.
Description
Bicep is Microsoft Azure's domain-specific language (DSL) for deploying Azure resources. It provides a more concise and readable syntax compared to ARM (Azure Resource Manager) templates, while maintaining full compatibility with Azure: Bicep files are automatically transpiled into ARM templates during deployment.
Bicep templates also offer type safety and enhanced validation at authoring time, modularity through composition, and IntelliSense in Visual Studio Code.
Here's a typical example:
param location string = 'eastus'
param storageName string
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
name: storageName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
}
For comparison, here is an equivalent ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "eastus"
},
"storageName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
}
]
}
Bicep simplifies the process of managing Azure infrastructure as code, making it easier to maintain and version control your resource configurations.
Director provides two specialized Bicep template categories.
Standard Version
These generate DCRs that align with Microsoft Sentinel's native table schema. They include predefined parameters and variables for customizing data collection settings while maintaining compatibility with Sentinel's built-in analytics and workbooks. The templates are designed to facilitate integration with your existing Sentinel deployments.
@description('The location of the resources')
param location string
@description('The name of the Data Collection Endpoint Id')
param dataCollectionEndpointId string
@description('The Log Analytics Workspace Id used for Sentinel')
param workspaceResourceId string
resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
name: 'vmetric-dcr'
location: location
properties: {
dataCollectionEndpointId: dataCollectionEndpointId
streamDeclarations: {
// Contact with VirtualMetric Support to get the stream names
}
destinations: {
logAnalytics: [
{
workspaceResourceId: workspaceResourceId
name: 'vmetric-datastream'
}
]
}
dataFlows: [
{
streams: [
'Custom-CommonSecurityLog'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-CommonSecurityLog'
}
{
streams: [
'Custom-SecurityEvent'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-SecurityEvent'
}
{
streams: [
'Custom-Syslog'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-Syslog'
}
{
streams: [
'Custom-WindowsEvent'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-WindowsEvent'
}
]
}
}
output immutableId string = dataCollectionRule.properties.immutableId
ASIM Version
These create DCRs that implement the Advanced Security Information Model (ASIM) schema. They include specific parsers and transformations required for normalizing VirtualMetric data into ASIM-compliant formats. They ensure your security data is standardized across different sources, enhancing threat detection and investigation.
@description('The location of the resources')
param location string
@description('The name of the Data Collection Endpoint Id')
param dataCollectionEndpointId string
@description('The Log Analytics Workspace Id used for Sentinel')
param workspaceResourceId string
resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
name: 'vmetric-dcr'
location: location
properties: {
dataCollectionEndpointId: dataCollectionEndpointId
streamDeclarations: {
// Contact with VirtualMetric Support to get the stream names
}
destinations: {
logAnalytics: [
{
workspaceResourceId: workspaceResourceId
name: 'vmetric-datastream'
}
]
}
dataFlows: [
{
streams: [
'Custom-ASimAuditEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimAuditEventLogs'
}
{
streams: [
'Custom-ASimAuthenticationEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimAuthenticationEventLogs'
}
{
streams: [
'Custom-ASimDhcpEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimDhcpEventLogs'
}
{
streams: [
'Custom-ASimDnsActivityLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimDnsActivityLogs'
}
{
streams: [
'Custom-ASimNetworkSessionLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimNetworkSessionLogs'
}
{
streams: [
'Custom-ASimFileEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimFileEventLogs'
}
{
streams: [
'Custom-ASimProcessEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimProcessEventLogs'
}
{
streams: [
'Custom-ASimRegistryEventLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimRegistryEventLogs'
}
{
streams: [
'Custom-ASimUserManagementActivityLogs'
]
destinations: [
'vmetric-datastream'
]
transformKql: 'source'
outputStream: 'Microsoft-ASimUserManagementActivityLogs'
}
]
}
}
output immutableId string = dataCollectionRule.properties.immutableId
Each Bicep template is thoroughly tested and maintained to support VirtualMetric's monitoring capabilities while following Microsoft's best practices for DCR deployment and management.