From 7adc4532e8f8e60b870e76a874bf7fcff60aff8e Mon Sep 17 00:00:00 2001 From: Kanchan-Microsoft Date: Tue, 19 May 2026 13:16:57 +0530 Subject: [PATCH 1/4] fix: update event stream names and enforce security settings in Bicep templates --- infra/main.bicep | 16 +++++++++++++++- infra/main.json | 30 ++++++++++++++++++++++++++---- infra/main_custom.bicep | 16 +++++++++++++++- 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 2bc2b88c..b4e6603e 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -433,7 +433,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' + 'Microsoft-Event' ] eventLogName: 'Security' eventTypes: [ @@ -469,6 +469,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } @@ -654,6 +664,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = { defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow' ipRules: [] } + requireInfrastructureEncryption: true supportsHttpsTrafficOnly: true accessTier: 'Hot' tags: tags @@ -1048,6 +1059,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = { ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' @@ -1089,6 +1101,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = { ingressTargetPort: 3000 activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 2 minReplicas: enableScalability ? 2 : 1 @@ -1723,6 +1736,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' = ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' diff --git a/infra/main.json b/infra/main.json index b66d5b32..d2dcccdb 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "312988678863218513" + "templateHash": "11967716103255684929" }, "name": "Content Processing Solution Accelerator", "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance." @@ -14607,7 +14607,7 @@ { "name": "SecurityAuditEvents", "streams": [ - "Microsoft-WindowsEvent" + "Microsoft-Event" ], "eventLogName": "Security", "eventTypes": [ @@ -14642,6 +14642,16 @@ ], "transformKql": "source", "outputStream": "Microsoft-Perf" + }, + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + ], + "transformKql": "source", + "outputStream": "Microsoft-Event" } ] } @@ -28050,6 +28060,9 @@ "ipRules": [] } }, + "requireInfrastructureEncryption": { + "value": true + }, "supportsHttpsTrafficOnly": { "value": true }, @@ -42481,10 +42494,10 @@ }, "dependsOn": [ "avmAiServices", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "virtualNetwork" ] }, @@ -45910,6 +45923,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "corsPolicy": { "value": { "allowedOrigins": [ @@ -47515,6 +47531,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "scaleSettings": { "value": { "maxReplicas": "[if(parameters('enableScalability'), 3, 2)]", @@ -63175,6 +63194,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "corsPolicy": { "value": { "allowedOrigins": [ diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index fd462dc6..6bc005e7 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -436,7 +436,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' + 'Microsoft-Event' ] eventLogName: 'Security' eventTypes: [ @@ -472,6 +472,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } @@ -657,6 +667,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = { defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow' ipRules: [] } + requireInfrastructureEncryption: true supportsHttpsTrafficOnly: true accessTier: 'Hot' tags: tags @@ -1061,6 +1072,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = { ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' @@ -1107,6 +1119,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = { ingressTargetPort: 3000 activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 2 minReplicas: enableScalability ? 2 : 1 @@ -1756,6 +1769,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' = ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' From e13d1c5a86d1539ec2e14056dce1f61e14f43051 Mon Sep 17 00:00:00 2001 From: Kanchan-Microsoft Date: Tue, 19 May 2026 16:43:53 +0530 Subject: [PATCH 2/4] fix: update event log configuration and refine xPathQueries for data collection rules --- infra/main.bicep | 11 +---------- infra/main.json | 13 ++----------- infra/main_custom.bicep | 11 +---------- 3 files changed, 4 insertions(+), 31 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index b4e6603e..e1c2b0d0 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -435,17 +435,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- streams: [ 'Microsoft-Event' ] - eventLogName: 'Security' - eventTypes: [ - { - eventType: 'Audit Success' - } - { - eventType: 'Audit Failure' - } - ] xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' ] } ] diff --git a/infra/main.json b/infra/main.json index d2dcccdb..e77fe6eb 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "11967716103255684929" + "templateHash": "12538110573757351724" }, "name": "Content Processing Solution Accelerator", "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance." @@ -14609,17 +14609,8 @@ "streams": [ "Microsoft-Event" ], - "eventLogName": "Security", - "eventTypes": [ - { - "eventType": "Audit Success" - }, - { - "eventType": "Audit Failure" - } - ], "xPathQueries": [ - "Security!*[System[(EventID=4624 or EventID=4625)]]" + "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]" ] } ] diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 6bc005e7..4f107646 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -438,17 +438,8 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- streams: [ 'Microsoft-Event' ] - eventLogName: 'Security' - eventTypes: [ - { - eventType: 'Audit Success' - } - { - eventType: 'Audit Failure' - } - ] xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' ] } ] From 85ea0b0e266e15733ab24517dd3f8ffe98bb15fb Mon Sep 17 00:00:00 2001 From: Kanchan-Microsoft Date: Wed, 20 May 2026 17:10:34 +0530 Subject: [PATCH 3/4] refactor: update log analytics resource naming in Bicep templates --- infra/main.bicep | 8 +++++--- infra/main.json | 14 ++++++++------ infra/main_custom.bicep | 8 +++++--- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index d1fbbdb2..2563c8c6 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -362,6 +362,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location +var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}' +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -445,7 +447,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -455,7 +457,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Perf' @@ -465,7 +467,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Event' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Event' diff --git a/infra/main.json b/infra/main.json index 5b710605..7a859310 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "12078312041649297460" + "templateHash": "3337141965130997882" }, "name": "Content Processing Solution Accelerator", "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance." @@ -243,6 +243,8 @@ "bastionHostName": "[format('bas-{0}', variables('solutionSuffix'))]", "jumpboxVmName": "[take(format('vm-{0}', variables('solutionSuffix')), 15)]", "dataCollectionRulesResourceName": "[format('dcr-{0}', variables('solutionSuffix'))]", + "logAnalyticsWorkspaceResourceName": "[format('log-{0}', variables('solutionSuffix'))]", + "dcrLogAnalyticsDestinationName": "[format('la-{0}-destination', variables('logAnalyticsWorkspaceResourceName'))]", "privateDnsZones": [ "privatelink.cognitiveservices.azure.com", "privatelink.openai.azure.com", @@ -14619,7 +14621,7 @@ "logAnalytics": [ { "workspaceResourceId": "[reference('logAnalyticsWorkspace').outputs.resourceId.value]", - "name": "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "name": "[variables('dcrLogAnalyticsDestinationName')]" } ] }, @@ -14629,7 +14631,7 @@ "Microsoft-Perf" ], "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "[variables('dcrLogAnalyticsDestinationName')]" ], "transformKql": "source", "outputStream": "Microsoft-Perf" @@ -14639,7 +14641,7 @@ "Microsoft-Event" ], "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "[variables('dcrLogAnalyticsDestinationName')]" ], "transformKql": "source", "outputStream": "Microsoft-Event" @@ -42485,10 +42487,10 @@ }, "dependsOn": [ "avmAiServices", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", "virtualNetwork" ] }, diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 4f107646..5cf6da32 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -365,6 +365,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location +var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}' +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -448,7 +450,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -458,7 +460,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Perf' @@ -468,7 +470,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Event' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Event' From 3f17071cafb74ad3eb7c24b6bdbbf49553b6707e Mon Sep 17 00:00:00 2001 From: Kanchan-Microsoft Date: Wed, 20 May 2026 18:05:07 +0530 Subject: [PATCH 4/4] refactor: update log analytics workspace resource name in Bicep templates --- infra/main.bicep | 2 +- infra/main.json | 10 +++++----- infra/main_custom.bicep | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 2563c8c6..9f4ec91e 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -520,7 +520,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [ module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) { name: take('module.log-analytics-workspace.${solutionSuffix}', 64) params: { - name: 'log-${solutionSuffix}' + name: logAnalyticsWorkspaceResourceName location: location tags: tags enableTelemetry: enableTelemetry diff --git a/infra/main.json b/infra/main.json index 7a859310..e8ba8e73 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "3337141965130997882" + "templateHash": "5885652317352749587" }, "name": "Content Processing Solution Accelerator", "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance." @@ -19275,7 +19275,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('log-{0}', variables('solutionSuffix'))]" + "value": "[variables('logAnalyticsWorkspaceResourceName')]" }, "location": { "value": "[parameters('location')]" @@ -36183,8 +36183,8 @@ "avmContainerApp_API", "avmContainerApp_Workflow", "avmManagedIdentity", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "virtualNetwork" ] }, @@ -42487,10 +42487,10 @@ }, "dependsOn": [ "avmAiServices", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", "virtualNetwork" ] }, diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 5cf6da32..b2263f10 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -523,7 +523,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [ module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) { name: take('module.log-analytics-workspace.${solutionSuffix}', 64) params: { - name: 'log-${solutionSuffix}' + name: logAnalyticsWorkspaceResourceName location: location tags: tags enableTelemetry: enableTelemetry