Bicep Templates

Microsoft Sentinel Data Collection Rules (DCR) Bicep Templates in VirtualMetric Director offer Infrastructure as Code (IaC) solutions for deploying standardized monitoring configurations. These templates enable automated and consistent deployment of Data Collection Rules across different Azure environments, making it easier to manage and scale your monitoring infrastructure.

What is Bicep?

Overview

Bicep is Microsoft Azure's domain-specific language (DSL) for deploying Azure resources. It provides a more concise and readable syntax compared to ARM (Azure Resource Manager) templates, while maintaining full compatibility with Azure's deployment capabilities. Bicep files are automatically transpiled into ARM templates during the deployment process.

Key features of Bicep include:

Simpler syntax with reduced repetition and improved readability
Type safety and enhanced validation at authoring time
Modularity through composition of Bicep files
IntelliSense and rich type safety in Visual Studio Code
Direct integration with Azure deployment pipelines

Here's a simple example comparing JSON ARM template syntax with Bicep:

// Bicep syntax
param location string = 'eastus'
param storageName string

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

// Equivalent ARM template JSON
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string",
      "defaultValue": "eastus"
    },
    "storageName": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-09-01",
      "name": "[parameters('storageName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "StorageV2"
    }
  ]
}

DCR Templates

Bicep simplifies the process of managing Azure infrastructure as code, making it easier to maintain and version control your Azure resource configurations. VirtualMetric Director provides two specialized Bicep template categories.

Standard

These templates generate DCRs that align with Microsoft Sentinel's native table schema. They include predefined parameters and variables for customizing data collection settings while maintaining compatibility with Sentinel's built-in analytics and workbooks. The templates are designed to facilitate seamless integration with your existing Sentinel deployments.

@description('The location of the resources')
param location string 

@description('The name of the Data Collection Endpoint Id')
param dataCollectionEndpointId string

@description('The Log Analytics Workspace Id used for Sentinel')
param workspaceResourceId string

resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
  name: 'vmetric-dcr'
  location: location
  properties: {
    dataCollectionEndpointId: dataCollectionEndpointId
    streamDeclarations: {
        // Contact with VirtualMetric Support to get the stream names
    }
    destinations: {
      logAnalytics: [
        {
          workspaceResourceId: workspaceResourceId
          name: 'vmetric-datastream'
        }
      ]
    }
    dataFlows: [
      {
        streams: [
          'Custom-CommonSecurityLog'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-CommonSecurityLog'
      }
      {
        streams: [
          'Custom-SecurityEvent'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-SecurityEvent'
      }
      {
        streams: [
          'Custom-Syslog'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-Syslog'
      }
      {
        streams: [
          'Custom-WindowsEvent'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-WindowsEvent'
      }
    ]
  }
}

output immutableId string = dataCollectionRule.properties.immutableId

ASim

These templates create DCRs that implement the Advanced Security Information Model (ASIM) schema. They include specific parsers and transformations required for normalizing VirtualMetric data into ASIM-compliant formats. These templates ensure your security data is standardized across different sources, enhancing threat detection and investigation capabilities.

@description('The location of the resources')
param location string 

@description('The name of the Data Collection Endpoint Id')
param dataCollectionEndpointId string

@description('The Log Analytics Workspace Id used for Sentinel')
param workspaceResourceId string

resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
  name: 'vmetric-dcr'
  location: location
  properties: {
    dataCollectionEndpointId: dataCollectionEndpointId
    streamDeclarations: {
        // Contact with VirtualMetric Support to get the stream names
    }
    destinations: {
      logAnalytics: [
        {
          workspaceResourceId: workspaceResourceId
          name: 'vmetric-datastream'
        }
      ]
    }
    dataFlows: [
      {
        streams: [
          'Custom-ASimAuditEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimAuditEventLogs'
      }
      {
        streams: [
          'Custom-ASimAuthenticationEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimAuthenticationEventLogs'
      }
      {
        streams: [
          'Custom-ASimDhcpEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimDhcpEventLogs'
      }
      {
        streams: [
          'Custom-ASimDnsActivityLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimDnsActivityLogs'
      }
      {
        streams: [
          'Custom-ASimNetworkSessionLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimNetworkSessionLogs'
      }
      {
        streams: [
          'Custom-ASimFileEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimFileEventLogs'
      }
      {
        streams: [
          'Custom-ASimProcessEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimProcessEventLogs'
      }
      {
        streams: [
          'Custom-ASimRegistryEventLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimRegistryEventLogs'
      }
      {
        streams: [
          'Custom-ASimUserManagementActivityLogs'
        ]
        destinations: [
          'vmetric-datastream'
        ]
        transformKql: 'source'
        outputStream: 'Microsoft-ASimUserManagementActivityLogs'
      }
    ]
  }
}

output immutableId string = dataCollectionRule.properties.immutableId

Each Bicep template is thoroughly tested and maintained to support VirtualMetric's monitoring capabilities while following Microsoft's best practices for DCR deployment and management. The templates include modular components that can be customized to meet specific organizational requirements while maintaining consistent data collection standards.

What is Bicep?​

Overview​

DCR Templates​

Standard​

ASim​

What is Bicep?

Overview

DCR Templates

Standard

ASim