Merge pull request #593 from microsoft/sfi-fix

fix: update event stream names and enforce security settings in Bicep

Author: Prajwal-Microsoft

infra/main.bicep

@@ -362,6 +362,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi
 
 var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location
+var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}'
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination'
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
   params: {
@@ -433,19 +435,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
-            ]
-            eventLogName: 'Security'
-            eventTypes: [
-              {
-                eventType: 'Audit Success'
-              }
-              {
-                eventType: 'Audit Failure'
-              }
+              'Microsoft-Event'
             ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
@@ -454,7 +447,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
         logAnalytics: [
           {
             workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId
-            name: 'la-${dataCollectionRulesResourceName}'
+            name: dcrLogAnalyticsDestinationName
           }
         ]
       }
@@ -464,11 +457,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'Microsoft-Perf'
           ]
           destinations: [
-            'la-${dataCollectionRulesResourceName}'
+            dcrLogAnalyticsDestinationName
           ]
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            dcrLogAnalyticsDestinationName
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
@@ -517,7 +520,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [
 module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) {
   name: take('module.log-analytics-workspace.${solutionSuffix}', 64)
   params: {
-    name: 'log-${solutionSuffix}'
+    name: logAnalyticsWorkspaceResourceName
     location: location
     tags: tags
     enableTelemetry: enableTelemetry
@@ -654,6 +657,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
       defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow'
       ipRules: []
     }
+    requireInfrastructureEncryption: true
     supportsHttpsTrafficOnly: true
     accessTier: 'Hot'
     tags: tags
@@ -1048,6 +1052,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
@@ -1089,6 +1094,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressTargetPort: 3000
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 2
       minReplicas: enableScalability ? 2 : 1
@@ -1722,6 +1728,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' =
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "12078312041649297460"
+      "templateHash": "5885652317352749587"
     },
     "name": "Content Processing Solution Accelerator",
     "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance."
@@ -243,6 +243,8 @@
     "bastionHostName": "[format('bas-{0}', variables('solutionSuffix'))]",
     "jumpboxVmName": "[take(format('vm-{0}', variables('solutionSuffix')), 15)]",
     "dataCollectionRulesResourceName": "[format('dcr-{0}', variables('solutionSuffix'))]",
+    "logAnalyticsWorkspaceResourceName": "[format('log-{0}', variables('solutionSuffix'))]",
+    "dcrLogAnalyticsDestinationName": "[format('la-{0}-destination', variables('logAnalyticsWorkspaceResourceName'))]",
     "privateDnsZones": [
       "privatelink.cognitiveservices.azure.com",
       "privatelink.openai.azure.com",
@@ -14607,19 +14609,10 @@
                   {
                     "name": "SecurityAuditEvents",
                     "streams": [
-                      "Microsoft-WindowsEvent"
-                    ],
-                    "eventLogName": "Security",
-                    "eventTypes": [
-                      {
-                        "eventType": "Audit Success"
-                      },
-                      {
-                        "eventType": "Audit Failure"
-                      }
+                      "Microsoft-Event"
                     ],
                     "xPathQueries": [
-                      "Security!*[System[(EventID=4624 or EventID=4625)]]"
+                      "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
                     ]
                   }
                 ]
@@ -14628,7 +14621,7 @@
                 "logAnalytics": [
                   {
                     "workspaceResourceId": "[reference('logAnalyticsWorkspace').outputs.resourceId.value]",
-                    "name": "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                    "name": "[variables('dcrLogAnalyticsDestinationName')]"
                   }
                 ]
               },
@@ -14638,10 +14631,20 @@
                     "Microsoft-Perf"
                   ],
                   "destinations": [
-                    "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                    "[variables('dcrLogAnalyticsDestinationName')]"
                   ],
                   "transformKql": "source",
                   "outputStream": "Microsoft-Perf"
+                },
+                {
+                  "streams": [
+                    "Microsoft-Event"
+                  ],
+                  "destinations": [
+                    "[variables('dcrLogAnalyticsDestinationName')]"
+                  ],
+                  "transformKql": "source",
+                  "outputStream": "Microsoft-Event"
                 }
               ]
             }
@@ -19272,7 +19275,7 @@
         "mode": "Incremental",
         "parameters": {
           "name": {
-            "value": "[format('log-{0}', variables('solutionSuffix'))]"
+            "value": "[variables('logAnalyticsWorkspaceResourceName')]"
           },
           "location": {
             "value": "[parameters('location')]"
@@ -28050,6 +28053,9 @@
               "ipRules": []
             }
           },
+          "requireInfrastructureEncryption": {
+            "value": true
+          },
           "supportsHttpsTrafficOnly": {
             "value": true
           },
@@ -36177,8 +36183,8 @@
         "avmContainerApp_API",
         "avmContainerApp_Workflow",
         "avmManagedIdentity",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
         "virtualNetwork"
       ]
     },
@@ -42482,9 +42488,9 @@
       "dependsOn": [
         "avmAiServices",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "virtualNetwork"
       ]
     },
@@ -45910,6 +45916,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [
@@ -47515,6 +47524,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "scaleSettings": {
             "value": {
               "maxReplicas": "[if(parameters('enableScalability'), 3, 2)]",
@@ -63172,6 +63184,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [

infra/main_custom.bicep

@@ -365,6 +365,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi
 
 var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location
+var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}'
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination'
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
   params: {
@@ -436,19 +438,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
-            ]
-            eventLogName: 'Security'
-            eventTypes: [
-              {
-                eventType: 'Audit Success'
-              }
-              {
-                eventType: 'Audit Failure'
-              }
+              'Microsoft-Event'
             ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
@@ -457,7 +450,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
         logAnalytics: [
           {
             workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId
-            name: 'la-${dataCollectionRulesResourceName}'
+            name: dcrLogAnalyticsDestinationName
           }
         ]
       }
@@ -467,11 +460,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'Microsoft-Perf'
           ]
           destinations: [
-            'la-${dataCollectionRulesResourceName}'
+            dcrLogAnalyticsDestinationName
           ]
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            dcrLogAnalyticsDestinationName
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
@@ -520,7 +523,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [
 module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) {
   name: take('module.log-analytics-workspace.${solutionSuffix}', 64)
   params: {
-    name: 'log-${solutionSuffix}'
+    name: logAnalyticsWorkspaceResourceName
     location: location
     tags: tags
     enableTelemetry: enableTelemetry
@@ -657,6 +660,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
       defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow'
       ipRules: []
     }
+    requireInfrastructureEncryption: true
     supportsHttpsTrafficOnly: true
     accessTier: 'Hot'
     tags: tags
@@ -1061,6 +1065,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
@@ -1107,6 +1112,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressTargetPort: 3000
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 2
       minReplicas: enableScalability ? 2 : 1
@@ -1756,6 +1762,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' =
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'