Updated ARM Template to deploy server with Auditing and Threat Detection turned ON

I would like to share an example of a template that can be used to deploy server with multiple databases and to turn ON Auditing and Threat Detection at server and individual database levels.  Please be aware that when server - level auditing is enabled, it is applied to all databases on this server. You can also enable database - level auditing, for example, if different storage account or retention period should be used for a specific database. For more details about server and database - level auditing policy please refer to the following article: Define server-level vs. database-level auditing policy  

 

{

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

"contentVersion": "1.0.0.0",

"parameters": {

"databaseserver": {

"type": "string"

},

"databaselist": {

"type": "array",

"metadata": {

}

},

"firewallruleList": {

"type": "array",

"metadata": {

}

},

"sqladminLogin": {

"type": "string"

},

"sqladminpassword": {

"type": "securestring"

},

"emailaddresses": {

"type": "string"

}

},

"variables": {

"databaseServerName": "[toLower(parameters('databaseServer'))]",

"databaseServerLocation": "West Europe",

"defaultSecondaryLocation": "North Europe",

"databaseServerAdminLogin": "[parameters('sqlAdminLogin')]",

"databaseServerAdminLoginPassword": "[parameters('sqlAdminPassword')]",

"storageAccountName": "[toLower(parameters('databaseServer'))]",

"emailAddresses": "[parameters('emailAddresses')]"

},

"resources": [

{

"type": "Microsoft.Storage/storageAccounts",

"name": "[variables('storageAccountName')]",

"apiVersion": "2016-01-01",

"location": "[resourceGroup().location]",

"sku": {

"name": "Standard_LRS"

},

"kind": "Storage",

"properties": {

}

},

{

"name": "[variables('databaseServerName')]",

"type": "Microsoft.Sql/servers",

"location": "[variables('databaseServerLocation')]",

"apiVersion": "2014-04-01-preview",

"dependsOn": [ ],

"tags": {

"DisplayName": "[variables('databaseServerName')]"

},

"properties": {

"administratorLogin": "[variables('databaseServerAdminLogin')]",

"administratorLoginPassword": "[variables('databaseServerAdminLoginPassword')]",

"version": "12.0"

},

"resources": [

{

"apiVersion": "2015-05-01-preview",

"type": "auditingSettings",

"name": "DefaultAuditingSettings",

"dependsOn": [

"[variables('databaseServerName')]",

"[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",

"DatabaseLoop"

],

"properties": {

"State": "Enabled",

"storageEndpoint": "[concat('https://', variables ('storageAccountName'), '.blob.core.windows.net/')]",

"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",

"storageAccountSubscriptionId": "[subscription().subscriptionId]",

"retentionDays": 0,

"auditActionsAndGroups": null,

"isStorageSecondaryKeyInUse": false

}

},

{

"apiVersion": "2015-05-01-preview",

"type": "securityAlertPolicies",

"name": "DefaultSecurityAlert",

"dependsOn": [

"[variables('databaseServerName')]",

"[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/auditingSettings/DefaultAuditingSettings')]"

],

"properties": {

"state": "Enabled",

"disabledAlerts": "",

"emailAddresses": "[variables('emailAddresses')]",

"emailAccountAdmins": "Enabled",

"retentionDays": "10",

"storageEndpoint": "[concat('https://', variables ('storageAccountName'), '.blob.core.windows.net/')]",

"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"

}

}

]

},

{

"type": "Microsoft.Sql/servers/firewallrules",

"name": "[concat(variables('databaseServerName'), '/', parameters('firewallRuleList')[copyIndex()].name)]",

"apiVersion": "2014-04-01-preview",

"location": "[variables('databaseServerLocation')]",

"properties": {

"startIpAddress": "[parameters('firewallRuleList')[copyIndex()].startIpAddress]",

"endIpAddress": "[parameters('firewallRuleList')[copyIndex()].endIpAddress]"

},

"resources": [ ],

"dependsOn": [

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'))]"

],

"copy": {

"name": "FirewallLoop",

"count": "[length(parameters('firewallRuleList'))]"

}

},

{

"apiVersion": "2014-04-01-preview",

"type": "Microsoft.Sql/servers/databases",

"copy": {

"name": "DatabaseLoop",

"count": "[length(parameters('databaseList'))]"

},

"dependsOn": [

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'))]"

],

"location": "[variables('databaseServerLocation')]",

"name": "[concat(variables('databaseServerName'), '/', string(parameters('databaseList')[copyIndex()].databaseName))]",

"properties": {

"collation": "[parameters('databaseList')[copyIndex()].collation]",

"edition": "[parameters('databaseList')[copyIndex()].databaseEdition]",

"maxSizeBytes": "[parameters('databaseList')[copyIndex()].maxSizeBytes]"

},

"tags": {

"DisplayName": "[variables('databaseServerName')]"

},

"resources": [

{

"name": "current",

"type": "transparentDataEncryption",

"dependsOn": [

"[parameters('databaseList')[copyIndex()].databaseName]"

],

"location": null,

"apiVersion": "2014-04-01-preview",

"properties": {

"status": "Enabled"

}

},

{

"apiVersion": "2015-05-01-preview",

"type": "auditingSettings",

"name": "DatabaseauditingSettings",

"dependsOn": [

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/databases/', string(parameters('databaseList')[copyIndex()].databaseName))]",

"[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/databases/', string(parameters('databaseList')[copyIndex()].databaseName), '/transparentDataEncryption/current')]"

],

"properties": {

"State": "Enabled",

"storageEndpoint": "[concat('https://', variables ('storageAccountName'), '.blob.core.windows.net/')]",

"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",

"retentionDays": 0,

"auditActionsAndGroups": [ "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "DATABASE_LOGOUT_GROUP", "USER_CHANGE_PASSWORD_GROUP" ],

"storageAccountSubscriptionId": "[subscription().subscriptionId]",

"isStorageSecondaryKeyInUse": false

}

},

{

"apiVersion": "2014-04-01-preview",

"type": "securityAlertPolicies",

"name": "DatabaseSecurityAlertPolicies",

"dependsOn": [

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/databases/' , string(parameters('databaseList')[copyIndex()].databaseName))]",

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/databases/' , string(parameters('databaseList')[copyIndex()].databaseName), '/auditingSettings/DatabaseauditingSettings')]",

"[concat('Microsoft.Sql/servers/', variables('databaseServerName'), '/databases/', string(parameters('databaseList')[copyIndex()].databaseName), '/transparentDataEncryption/current')]"

],

"properties": {

"state": "Enabled",

"disabledAlerts": "",

"emailAddresses": "[variables('emailAddresses')]",

"emailAccountAdmins": "Enabled",

"retentionDays": "10",

"storageEndpoint": "[concat('https://', variables ('storageAccountName'), '.blob.core.windows.net/')]",

"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]"

}

}

]

}

],

"outputs": { }

}

 

Have a nice day!

Olga