Cyb3rWard0g · March 20, 2020 00:36
diff --git a/azure-la-windows-event-providers.json b/azure-la-windows-event-providers.json
 {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
            "type": "string",
            "metadata": {
                "description": "Name for the Log Analytics workspace used to aggregate data"
            }
        },
        "location": {
            "type": "string",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "eventLogs": [
            "System",
            "Microsoft-Windows-Sysmon/Operational",
            "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
            "Microsoft-Windows-Bits-Client/Operational",
            "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
            "Directory Service",
            "Microsoft-Windows-DNS-Client/Operational",
            "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
            "Windows PowerShell",
            "Microsoft-Windows-PowerShell/Operational",
            "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational",
            "Microsoft-Windows-WMI-Activity/Operational"
        ]
   },
    "resources": [
        {
            "type": "Microsoft.OperationalInsights/workspaces/dataSources",
            "apiVersion": "2015-11-01-preview",
            "location": "[parameters('location')]",
            "name": "[concat(parameters('workspaceName'), '/winEvent', copyindex())]",
            "copy": {
                "name": "winEventCopy",
                "count": "[length(variables('eventLogs'))]"
            },
            "kind": "WindowsEvent",
            "properties": {
                "eventLogName": "[trim(variables('eventLogs')[copyIndex()])]",
                "eventTypes": [
                    {
                        "eventType": "Error"
                    },
                    {
                        "eventType": "Warning"
                    },
                    {
                        "eventType": "Information"
                    }
                ]
            }
        }
    ]
 }
	{
	"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"workspaceName": {
	"type": "string",
	"metadata": {
	"description": "Name for the Log Analytics workspace used to aggregate data"
	}
	},
	"location": {
	"type": "string",
	"metadata": {
	"description": "Location for all resources."
	}
	}
	},
	"variables": {
	"eventLogs": [
	"System",
	"Microsoft-Windows-Sysmon/Operational",
	"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
	"Microsoft-Windows-Bits-Client/Operational",
	"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
	"Directory Service",
	"Microsoft-Windows-DNS-Client/Operational",
	"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
	"Windows PowerShell",
	"Microsoft-Windows-PowerShell/Operational",
	"Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational",
	"Microsoft-Windows-WMI-Activity/Operational"
	]
	},
	"resources": [
	{
	"type": "Microsoft.OperationalInsights/workspaces/dataSources",
	"apiVersion": "2015-11-01-preview",
	"location": "[parameters('location')]",
	"name": "[concat(parameters('workspaceName'), '/winEvent', copyindex())]",
	"copy": {
	"name": "winEventCopy",
	"count": "[length(variables('eventLogs'))]"
	},
	"kind": "WindowsEvent",
	"properties": {
	"eventLogName": "[trim(variables('eventLogs')[copyIndex()])]",
	"eventTypes": [
	{
	"eventType": "Error"
	},
	{
	"eventType": "Warning"
	},
	{
	"eventType": "Information"
	}
	]
	}
	}
	]
	}