Skip to content

Commit

Permalink
fix: Do not redeploy Log Analytics workspace
Browse files Browse the repository at this point in the history
Only verify that the parent Log Analytics workspace exists and then deploy the saved search.

The deployment will fail with `ResourceNotFound` error code if the Log Analytics workspace does not exist.

Updated `languageVersion` to 2.0 as `existing` declarations require it.
Ref: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-declaration#declare-existing-resources

Relates: Azure#8623
  • Loading branch information
frendsick committed Aug 29, 2024
1 parent 91c8d17 commit 0986d7f
Showing 1 changed file with 19 additions and 23 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"languageVersion": "2.0",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
Expand All @@ -16,31 +17,26 @@
}
}
},
"resources": [
{
"resources": {
"log_analytics_workspace": {
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimAuthenticationAADManagedIdentitySignInLogs",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
"query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
}
]
"existing": true
},
"saved_search": {
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADManagedIdentitySignInLogs')]",
"properties": {
"etag": "*",
"displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
"query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
}
]
}
}

0 comments on commit 0986d7f

Please sign in to comment.