diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json index 646f1e52b..697cce96b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "6.2.0", + "version": "6.3.0", "category": "Monitoring" }, - "version": "6.2.0", + "version": "6.3.0", "parameters": { "effect": { "type": "String", @@ -22,6 +22,18 @@ ], "defaultValue": "DeployIfNotExists" }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to machines with AMA-supported operating systems. Otherwise, the policy will apply to all machines in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, "listOfLinuxImageIdToInclude": { "type": "Array", "metadata": { @@ -147,6 +159,38 @@ }, { "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, { "field": "Microsoft.Compute/imageId", "in": "[parameters('listOfLinuxImageIdToInclude')]" @@ -623,6 +667,7 @@ } }, "versions": [ + "6.3.0", "6.2.0", "6.1.0" ] diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json index 0c604b409..9ecad0c91 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "4.3.0", + "version": "4.4.0", "category": "Monitoring" }, - "version": "4.3.0", + "version": "4.4.0", "parameters": { "effect": { "type": "String", @@ -22,6 +22,18 @@ ], "defaultValue": "DeployIfNotExists" }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to machines with AMA-supported operating systems. Otherwise, the policy will apply to all machines in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, "listOfWindowsImageIdToInclude": { "type": "Array", "metadata": { @@ -147,6 +159,38 @@ }, { "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, { "field": "Microsoft.Compute/imageId", "in": "[parameters('listOfWindowsImageIdToInclude')]" @@ -459,6 +503,7 @@ } }, "versions": [ + "4.4.0", "4.3.0", "4.2.0" ] diff --git a/built-in-policies/policyDefinitions/Network/VirtualNetwork_FlowLog_TrafficAnalytics_Update.json b/built-in-policies/policyDefinitions/Network/VirtualNetwork_FlowLog_TrafficAnalytics_Update.json index 23d305e88..2d0c28ed5 100644 --- a/built-in-policies/policyDefinitions/Network/VirtualNetwork_FlowLog_TrafficAnalytics_Update.json +++ b/built-in-policies/policyDefinitions/Network/VirtualNetwork_FlowLog_TrafficAnalytics_Update.json @@ -1,14 +1,14 @@ { "properties": { - "displayName": "Configure virtual networks to use specific workspace, storage account and retention interval for Flow logs and Traffic Analytics", + "displayName": "Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics", "description": "If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.", "policyType": "BuiltIn", "mode": "Indexed", "metadata": { - "version": "1.1.1", + "version": "1.1.2", "category": "Network" }, - "version": "1.1.1", + "version": "1.1.2", "parameters": { "effect": { "type": "string", @@ -323,8 +323,8 @@ } }, "versions": [ + "1.1.2", "1.1.1", - "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/DeployAtpOnMySqlFlexibleServers_DINE.json b/built-in-policies/policyDefinitions/Security Center/DeployAtpOnMySqlFlexibleServers_DINE.json deleted file mode 100644 index 289dc1524..000000000 --- a/built-in-policies/policyDefinitions/Security Center/DeployAtpOnMySqlFlexibleServers_DINE.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "properties": { - "displayName": "Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers", - "policyType": "BuiltIn", - "mode": "Indexed", - "description": "Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", - "metadata": { - "version": "1.0.0", - "category": "Security Center" - }, - "version": "1.0.0", - "parameters": { - "effect": { - "type": "string", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - } - }, - "policyRule": { - "if": { - "field": "type", - "equals": "Microsoft.DBforMySQL/flexibleservers" - }, - "then": { - "effect": "[parameters('effect')]", - "details": { - "type": "Microsoft.DBforMySQL/flexibleservers/advancedThreatProtectionSettings", - "name": "Default", - "evaluationDelay": "AfterProvisioningSuccess", - "existenceCondition": { - "field": "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/state", - "equals": "Enabled" - }, - "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ], - "deployment": { - "properties": { - "mode": "incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "serverName": { - "type": "string" - } - }, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('serverName'), '/Default')]", - "type": "Microsoft.DBforMySQL/flexibleservers/advancedThreatProtectionSettings", - "apiVersion": "2023-12-01-preview", - "properties": { - "state": "Enabled" - } - } - ] - }, - "parameters": { - "serverName": { - "value": "[field('name')]" - } - } - } - } - } - } - }, - "versions": [ - "1.0.0" - ] - }, - "id": "/providers/Microsoft.Authorization/policyDefinitions/3d5ed4c2-5e50-4c76-932b-8982691b68ae", - "name": "3d5ed4c2-5e50-4c76-932b-8982691b68ae" -} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_EnableDCR.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_EnableDCR.json index 426a6b403..0d1447b35 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_EnableDCR.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_EnableDCR.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Monitor and secure your Linux virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "effect": { "type": "String", @@ -100,6 +100,9 @@ "effect": { "value": "[parameters('effect')]" }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, "listOfLinuxImageIdToInclude": { "value": "[parameters('listOfLinuxImageIdToInclude')]" }, @@ -113,6 +116,7 @@ } ], "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_UAI_EnableDCR.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_UAI_EnableDCR.json index bb1751fd1..f0811c213 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_UAI_EnableDCR.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_LinuxPlatform_UAI_EnableDCR.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Monitor your Linux virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions.", "metadata": { - "version": "2.2.0", + "version": "2.3.0", "category": "Monitoring" }, - "version": "2.2.0", + "version": "2.3.0", "parameters": { "effect": { "type": "String", @@ -188,6 +188,9 @@ "effect": { "value": "[parameters('effect')]" }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, "listOfLinuxImageIdToInclude": { "value": "[parameters('listOfLinuxImageIdToInclude')]" }, @@ -201,6 +204,7 @@ } ], "versions": [ + "2.3.0", "2.2.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_EnableDCR.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_EnableDCR.json index 8945697ca..b88778dce 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_EnableDCR.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_EnableDCR.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Monitor and secure your Windows virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "effect": { "type": "String", @@ -101,6 +101,9 @@ "effect": { "value": "[parameters('effect')]" }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, "listOfWindowsImageIdToInclude": { "value": "[parameters('listOfWindowsImageIdToInclude')]" }, @@ -114,6 +117,7 @@ } ], "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_UAI_EnableDCR.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_UAI_EnableDCR.json index 91e39dc79..f4714cb56 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_UAI_EnableDCR.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_WindowsPlatform_UAI_EnableDCR.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Monitor your Windows virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions.", "metadata": { - "version": "2.2.0", + "version": "2.3.0", "category": "Monitoring" }, - "version": "2.2.0", + "version": "2.3.0", "parameters": { "effect": { "type": "String", @@ -188,6 +188,9 @@ "effect": { "value": "[parameters('effect')]" }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, "listOfWindowsImageIdToInclude": { "value": "[parameters('listOfWindowsImageIdToInclude')]" }, @@ -201,6 +204,7 @@ } ], "versions": [ + "2.3.0", "2.2.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json b/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json deleted file mode 100644 index fd5d37202..000000000 --- a/built-in-policies/policySetDefinitions/Security Center/ASC_AtpForOssDatabases.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "properties": { - "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", - "policyType": "BuiltIn", - "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", - "metadata": { - "version": "1.2.0", - "category": "Security Center" - }, - "version": "1.2.0", - "parameters": {}, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForPostgreSqlServer", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", - "definitionVersion": "1.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForMySqlServer", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", - "definitionVersion": "1.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "deployAdvancedThreatProtectionOnAzureDatabaseForMariaDbServer", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6cf7411-da9e-49e2-aec0-cba0250eaf8c", - "definitionVersion": "1.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForPostgreSqlFlexibleServer", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a6ae02f-7590-40d7-88ba-b18e205a32fd", - "definitionVersion": "1.*.*", - "parameters": {} - }, - { - "policyDefinitionReferenceId": "deployAtpOnAzureDatabaseForMySqlFlexibleServer", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d5ed4c2-5e50-4c76-932b-8982691b68ae", - "definitionVersion": "1.*.*", - "parameters": {} - } - ], - "versions": [ - "1.2.0", - "1.1.0", - "1.0.1" - ] - }, - "id": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", - "name": "e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e" -} \ No newline at end of file