fix: address SFI security compliance issues

- Enable infrastructure encryption (double encryption) for storage account
- Add Security solution to Log Analytics workspace for SecurityEvent table
- Add Windows Security Audit Event Logs (EventID 4624/4625) to data collection rules
- Route Microsoft-SecurityEvent stream to Log Analytics in both main.bicep and main_custom.bicep

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Prachig-Microsoft

infra/main.bicep

@@ -514,12 +514,27 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi
   }
 }
 
+resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) {
+  name: 'Security(log-${solutionSuffix})'
+  location: location
+  plan: {
+    name: 'Security(log-${solutionSuffix})'
+    publisher: 'Microsoft'
+    product: 'OMSGallery/Security'
+    promotionCode: ''
+  }
+  properties: {
+    workspaceResourceId: logAnalyticsWorkspaceResourceId
+  }
+}
+
 var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = useExistingLogAnalytics
   ? existingLogAnalyticsWorkspace!.location
   : logAnalyticsWorkspace!.outputs.location
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
+  dependsOn: [securitySolution]
   params: {
     name: dataCollectionRulesResourceName
     tags: tags
@@ -586,6 +601,17 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             name: 'perfCounterDataSource60'
           }
         ]
+        windowsEventLogs: [
+          {
+            name: 'SecurityAuditEvents'
+            streams: [
+              'Microsoft-SecurityEvent'
+            ]
+            xPathQueries: [
+              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+            ]
+          }
+        ]
       }
       destinations: {
         logAnalytics: [
@@ -604,6 +630,14 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'la-${dataCollectionRulesResourceName}'
           ]
         }
+        {
+          streams: [
+            'Microsoft-SecurityEvent'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+        }
       ]
     }
   }

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "1333265003476738511"
+      "templateHash": "16804124823752948659"
     },
     "name": "Modernize Your Code Solution Accelerator",
     "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n"
@@ -308,6 +308,25 @@
       "resourceGroup": "[variables('existingLawResourceGroup')]",
       "name": "[variables('existingLawName')]"
     },
+    "securitySolution": {
+      "condition": "[and(parameters('enablePrivateNetworking'), parameters('enableMonitoring'))]",
+      "type": "Microsoft.OperationsManagement/solutions",
+      "apiVersion": "2015-11-01-preview",
+      "name": "[format('Security(log-{0})', variables('solutionSuffix'))]",
+      "location": "[parameters('location')]",
+      "plan": {
+        "name": "[format('Security(log-{0})', variables('solutionSuffix'))]",
+        "publisher": "Microsoft",
+        "product": "OMSGallery/Security",
+        "promotionCode": ""
+      },
+      "properties": {
+        "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]"
+      },
+      "dependsOn": [
+        "logAnalyticsWorkspace"
+      ]
+    },
     "appIdentity": {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2025-04-01",
@@ -13101,11 +13120,11 @@
       },
       "dependsOn": [
         "applicationInsights",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]",
         "dataCollectionEndpoint",
         "logAnalyticsWorkspace",
         "virtualNetwork"
@@ -15351,6 +15370,17 @@
                     ],
                     "name": "perfCounterDataSource60"
                   }
+                ],
+                "windowsEventLogs": [
+                  {
+                    "name": "SecurityAuditEvents",
+                    "streams": [
+                      "Microsoft-SecurityEvent"
+                    ],
+                    "xPathQueries": [
+                      "Security!*[System[(EventID=4624 or EventID=4625)]]"
+                    ]
+                  }
                 ]
               },
               "destinations": {
@@ -15369,6 +15399,14 @@
                   "destinations": [
                     "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
                   ]
+                },
+                {
+                  "streams": [
+                    "Microsoft-SecurityEvent"
+                  ],
+                  "destinations": [
+                    "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                  ]
                 }
               ]
             }
@@ -16578,7 +16616,8 @@
       "dependsOn": [
         "dataCollectionEndpoint",
         "existingLogAnalyticsWorkspace",
-        "logAnalyticsWorkspace"
+        "logAnalyticsWorkspace",
+        "securitySolution"
       ]
     },
     "proximityPlacementGroup": {
@@ -32018,8 +32057,8 @@
       "dependsOn": [
         "aiServices",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "virtualNetwork"
       ]
     },
@@ -32076,7 +32115,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.42.1.51946",
-              "templateHash": "3598447245043879538"
+              "templateHash": "15460841004653840446"
             }
           },
           "definitions": {
@@ -32314,7 +32353,7 @@
                     "value": "TLS1_2"
                   },
                   "requireInfrastructureEncryption": {
-                    "value": false
+                    "value": true
                   },
                   "keyType": {
                     "value": "Service"

infra/main_custom.bicep

@@ -422,12 +422,27 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi
   }
 }
 
+resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) {
+  name: 'Security(log-${solutionSuffix})'
+  location: location
+  plan: {
+    name: 'Security(log-${solutionSuffix})'
+    publisher: 'Microsoft'
+    product: 'OMSGallery/Security'
+    promotionCode: ''
+  }
+  properties: {
+    workspaceResourceId: logAnalyticsWorkspaceResourceId
+  }
+}
+
 var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = useExistingLogAnalytics
   ? existingLogAnalyticsWorkspace!.location
   : logAnalyticsWorkspace!.outputs.location
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
+  dependsOn: [securitySolution]
   params: {
     name: dataCollectionRulesResourceName
     tags: tags
@@ -497,7 +512,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
+              'Microsoft-SecurityEvent'
             ]
             xPathQueries: [
               'Security!*[System[(EventID=4624 or EventID=4625)]]'
@@ -524,6 +539,14 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-SecurityEvent'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+        }
       ]
     }
   }

infra/modules/storageAccount.bicep

@@ -58,7 +58,7 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
     allowSharedKeyAccess: false
     allowCrossTenantReplication: false
     minimumTlsVersion: 'TLS1_2'
-    requireInfrastructureEncryption: false
+    requireInfrastructureEncryption: true
     keyType: 'Service'
     enableHierarchicalNamespace: false
     enableNfsV3: false