yoelk · August 5, 2025 07:08
diff --git a/azuredeploy.json b/azuredeploy.json
 {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "Name of the existing Log Analytics workspace"
      }
    },
    "servicePrincipalId": {
      "type": "string",
      "metadata": {
        "description": "Service principal object ID (not Client ID) - find this in Azure Portal > Azure Active Directory > App registrations > Your app > Overview"
      }
    },
    "connectorName": {
      "type": "string",
      "metadata": {
        "description": "Resource base name - used as prefix for all resource names (e.g., 'myapp' creates 'myapp-dce', 'myapp-dcr')"
      }
    }
  },
  "variables": {
    "connectorName": "[parameters('connectorName')]",
    "servicePrincipalId": "[parameters('servicePrincipalId')]",
    "location": "[resourceGroup().location]",
    "dceName": "[concat(variables('connectorName'), '-dce')]",
    "dcrName": "[concat(variables('connectorName'), '-dcr')]",
    "streamName": "[concat('Custom-', variables('connectorName'), '-CommonSecurityLog')]",
    "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
    "dceResourceId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]",
    "dcrResourceId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]",
    "monitoringMetricsPublisherRoleId": "3913510d-42f4-4e42-8a64-420c390055eb",
    "monitoringContributorRoleId": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
    "logAnalyticsContributorRoleId": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
    "dceRoleAssignmentId1": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dce-metrics')]",
    "dceRoleAssignmentId2": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dce-contributor')]",
    "dcrRoleAssignmentId1": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dcr-metrics')]",
    "dcrRoleAssignmentId2": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dcr-contributor')]",
    "workspaceRoleAssignmentId": "[guid(variables('workspaceResourceId'), variables('servicePrincipalId'), variables('logAnalyticsContributorRoleId'), 'workspace-contributor')]"
  },
  "resources": [
    {
      "type": "Microsoft.Insights/dataCollectionEndpoints",
      "apiVersion": "2022-06-01",
      "name": "[variables('dceName')]",
      "location": "[variables('location')]",
      "properties": {
        "networkAcls": {
          "publicNetworkAccess": "Enabled"
        }
      }
    },

    {
      "type": "Microsoft.Insights/dataCollectionRules",
      "apiVersion": "2022-06-01",
      "name": "[variables('dcrName')]",
      "location": "[variables('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
      ],
      "properties": {
        "dataCollectionEndpointId": "[variables('dceResourceId')]",
        "streamDeclarations": {
          "[variables('streamName')]": {
            "columns": [
              {
                "name": "TimeGenerated",
                "type": "datetime"
              },
              {
                "name": "DeviceVendor",
                "type": "string"
              },
              {
                "name": "CustomField",
                "type": "dynamic"
              }
            ]
          }
        },
        "dataSources": {},
        "destinations": {
          "logAnalytics": [
            {
              "name": "loganalytics-dest",
              "workspaceResourceId": "[variables('workspaceResourceId')]"
            }
          ]
        },
        "dataFlows": [
          {
            "streams": [
              "[variables('streamName')]"
            ],
            "destinations": [
              "loganalytics-dest"
            ],
            "transformKql": "source | extend DeviceVendor = tostring(DeviceVendor), CustomField = todynamic(CustomField) | project TimeGenerated, DeviceVendor, CustomField",
            "outputStream": "Microsoft-CommonSecurityLog"
          }
        ]
      }
    },
    {
      "type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId1'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
        "principalId": "[variables('servicePrincipalId')]"
      }
    },
    {
      "type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId2'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
        "principalId": "[variables('servicePrincipalId')]"
      }
    },
    {
      "type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId1'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
        "principalId": "[variables('servicePrincipalId')]"
      }
    },
    {
      "type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId2'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
        "principalId": "[variables('servicePrincipalId')]"
      }
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments",
      "apiVersion": "2022-04-01",
      "name": "[concat(parameters('workspaceName'), '/Microsoft.Authorization/', variables('workspaceRoleAssignmentId'))]",
      "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('logAnalyticsContributorRoleId'))]",
        "principalId": "[variables('servicePrincipalId')]"
      }
    }
  ]
 }
	{
	"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"workspaceName": {
	"type": "string",
	"metadata": {
	"description": "Name of the existing Log Analytics workspace"
	}
	},
	"servicePrincipalId": {
	"type": "string",
	"metadata": {
	"description": "Service principal object ID (not Client ID) - find this in Azure Portal > Azure Active Directory > App registrations > Your app > Overview"
	}
	},
	"connectorName": {
	"type": "string",
	"metadata": {
	"description": "Resource base name - used as prefix for all resource names (e.g., 'myapp' creates 'myapp-dce', 'myapp-dcr')"
	}
	}
	},
	"variables": {
	"connectorName": "[parameters('connectorName')]",
	"servicePrincipalId": "[parameters('servicePrincipalId')]",
	"location": "[resourceGroup().location]",
	"dceName": "[concat(variables('connectorName'), '-dce')]",
	"dcrName": "[concat(variables('connectorName'), '-dcr')]",
	"streamName": "[concat('Custom-', variables('connectorName'), '-CommonSecurityLog')]",
	"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
	"dceResourceId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]",
	"dcrResourceId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]",
	"monitoringMetricsPublisherRoleId": "3913510d-42f4-4e42-8a64-420c390055eb",
	"monitoringContributorRoleId": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
	"logAnalyticsContributorRoleId": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
	"dceRoleAssignmentId1": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dce-metrics')]",
	"dceRoleAssignmentId2": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dce-contributor')]",
	"dcrRoleAssignmentId1": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dcr-metrics')]",
	"dcrRoleAssignmentId2": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dcr-contributor')]",
	"workspaceRoleAssignmentId": "[guid(variables('workspaceResourceId'), variables('servicePrincipalId'), variables('logAnalyticsContributorRoleId'), 'workspace-contributor')]"
	},
	"resources": [
	{
	"type": "Microsoft.Insights/dataCollectionEndpoints",
	"apiVersion": "2022-06-01",
	"name": "[variables('dceName')]",
	"location": "[variables('location')]",
	"properties": {
	"networkAcls": {
	"publicNetworkAccess": "Enabled"
	}
	}
	},

	{
	"type": "Microsoft.Insights/dataCollectionRules",
	"apiVersion": "2022-06-01",
	"name": "[variables('dcrName')]",
	"location": "[variables('location')]",
	"dependsOn": [
	"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
	],
	"properties": {
	"dataCollectionEndpointId": "[variables('dceResourceId')]",
	"streamDeclarations": {
	"[variables('streamName')]": {
	"columns": [
	{
	"name": "TimeGenerated",
	"type": "datetime"
	},
	{
	"name": "DeviceVendor",
	"type": "string"
	},
	{
	"name": "CustomField",
	"type": "dynamic"
	}
	]
	}
	},
	"dataSources": {},
	"destinations": {
	"logAnalytics": [
	{
	"name": "loganalytics-dest",
	"workspaceResourceId": "[variables('workspaceResourceId')]"
	}
	]
	},
	"dataFlows": [
	{
	"streams": [
	"[variables('streamName')]"
	],
	"destinations": [
	"loganalytics-dest"
	],
	"transformKql": "source \| extend DeviceVendor = tostring(DeviceVendor), CustomField = todynamic(CustomField) \| project TimeGenerated, DeviceVendor, CustomField",
	"outputStream": "Microsoft-CommonSecurityLog"
	}
	]
	}
	},
	{
	"type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
	"apiVersion": "2022-04-01",
	"name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId1'))]",
	"dependsOn": [
	"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
	],
	"properties": {
	"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
	"principalId": "[variables('servicePrincipalId')]"
	}
	},
	{
	"type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
	"apiVersion": "2022-04-01",
	"name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId2'))]",
	"dependsOn": [
	"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
	],
	"properties": {
	"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
	"principalId": "[variables('servicePrincipalId')]"
	}
	},
	{
	"type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
	"apiVersion": "2022-04-01",
	"name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId1'))]",
	"dependsOn": [
	"[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
	],
	"properties": {
	"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
	"principalId": "[variables('servicePrincipalId')]"
	}
	},
	{
	"type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
	"apiVersion": "2022-04-01",
	"name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId2'))]",
	"dependsOn": [
	"[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
	],
	"properties": {
	"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
	"principalId": "[variables('servicePrincipalId')]"
	}
	},
	{
	"type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments",
	"apiVersion": "2022-04-01",
	"name": "[concat(parameters('workspaceName'), '/Microsoft.Authorization/', variables('workspaceRoleAssignmentId'))]",
	"properties": {
	"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('logAnalyticsContributorRoleId'))]",
	"principalId": "[variables('servicePrincipalId')]"
	}
	}
	]
	}