Merge pull request #854 from microsoft/sfi-issueFix

fix: SFI issue fixes

Author: Prajwal-Microsoft

infra/main.bicep

@@ -494,6 +494,7 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deploy
 
 // ========== Data Collection Rule for Jumpbox Security Event Logs (SFI-AzTBv17) ========== //
 var jumpboxDcrName = take('dcr-${jumpboxVmName}', 64)
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination'
 module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (deployAdminAccessResources && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${jumpboxDcrName}', 64)
   params: {
@@ -512,15 +513,15 @@ module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if
               'Microsoft-SecurityEvent'
             ]
             xPathQueries: [
-              'Security!*[System[(band(Keywords,13510798882111488))]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
       }
       destinations: {
         logAnalytics: [
           {
-            name: 'laDestination'
+            name: dcrLogAnalyticsDestinationName
             workspaceResourceId: logAnalyticsWorkspaceResourceId
           }
         ]
@@ -531,7 +532,7 @@ module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if
             'Microsoft-SecurityEvent'
           ]
           destinations: [
-            'laDestination'
+            dcrLogAnalyticsDestinationName
           ]
         }
       ]

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "14282475649019624593"
+      "templateHash": "11476101976733556609"
     },
     "name": "Intelligent Content Generation Accelerator",
     "description": "Solution Accelerator for multimodal marketing content generation using Microsoft Agent Framework.\n"
@@ -354,6 +354,7 @@
     "jumpboxUniqueToken": "[take(uniqueString(resourceGroup().id, variables('solutionSuffix')), 10)]",
     "jumpboxVmName": "[take(format('vm-{0}', variables('jumpboxUniqueToken')), 15)]",
     "jumpboxDcrName": "[take(format('dcr-{0}', variables('jumpboxVmName')), 64)]",
+    "dcrLogAnalyticsDestinationName": "[format('la-{0}-destination', variables('logAnalyticsWorkspaceResourceName'))]",
     "privateDnsZones": [
       "privatelink.cognitiveservices.azure.com",
       "privatelink.openai.azure.com",
@@ -18302,15 +18303,15 @@
                       "Microsoft-SecurityEvent"
                     ],
                     "xPathQueries": [
-                      "Security!*[System[(band(Keywords,13510798882111488))]]"
+                      "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
                     ]
                   }
                 ]
               },
               "destinations": {
                 "logAnalytics": [
                   {
-                    "name": "laDestination",
+                    "name": "[variables('dcrLogAnalyticsDestinationName')]",
                     "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), if(parameters('enableMonitoring'), reference('logAnalyticsWorkspace').outputs.resourceId.value, ''))]"
                   }
                 ]
@@ -18321,7 +18322,7 @@
                     "Microsoft-SecurityEvent"
                   ],
                   "destinations": [
-                    "laDestination"
+                    "[variables('dcrLogAnalyticsDestinationName')]"
                   ]
                 }
               ]

infra/main_custom.bicep

@@ -520,6 +520,7 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deploy
 
 // ========== Data Collection Rule for Jumpbox Security Event Logs (SFI-AzTBv17) ========== //
 var jumpboxDcrName = take('dcr-${jumpboxVmName}', 64)
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination'
 module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (deployAdminAccessResources && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${jumpboxDcrName}', 64)
   params: {
@@ -538,15 +539,15 @@ module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if
               'Microsoft-SecurityEvent'
             ]
             xPathQueries: [
-              'Security!*[System[(band(Keywords,13510798882111488))]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
       }
       destinations: {
         logAnalytics: [
           {
-            name: 'laDestination'
+            name: dcrLogAnalyticsDestinationName
             workspaceResourceId: logAnalyticsWorkspaceResourceId
           }
         ]
@@ -557,7 +558,7 @@ module jumpboxDcr 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if
             'Microsoft-SecurityEvent'
           ]
           destinations: [
-            'laDestination'
+            dcrLogAnalyticsDestinationName
           ]
         }
       ]