Skip to content

Instantly share code, notes, and snippets.

@JustinGrote

JustinGrote/asimAuxiliaryTables.bicep

Last active August 25, 2024 10:34
Show Gist options
  • Save JustinGrote/250a5780704dbf89df917dab590c0d27 to your computer and use it in GitHub Desktop.
Save JustinGrote/250a5780704dbf89df917dab590c0d27 to your computer and use it in GitHub Desktop.
Download ZIP
Create Auxiliary Table equivalents to ASIM and Common Log Sentinel Tables
Raw
asimAuxiliaryTables.bicep
param workspaceName string
param logRetentionDays int = 90
param tableNames array = [
'ASimNetworkSessionLogs'
'ASimAuthenticationEventLogs'
'ASimWebSessionLogs'
'ASimAuditEventLogs'
'ASimDhcpEventLogs'
'ASimDnsActivityLogs'
'ASimFileEventLogs'
'Syslog'
'CommonSecurityLog'
]
@allowed(['Basic', 'Auxiliary'])
param plan string = 'Auxiliary'
param reservedColumnNames array = [
'_ResourceId'
'id'
'_ResourceId'
'_SubscriptionId'
'TenantId'
'Type'
'UniqueId'
'Title'
'MG'
]
resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: workspaceName
}
resource tables 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' existing = [for tableName in tableNames: {
parent: workspace
name: tableName
}]
resource auxTables 'Microsoft.OperationalInsights/workspaces/tables@2023-01-01-preview' = [for (tableName, i) in tableNames: {
parent: workspace
name: '${tables[i].name}_Aux_CL'
properties: {
schema: union(
tables[i].properties.schema,
{
name: '${tables[i].properties.schema.name}_Aux_CL'
displayName: null
}
)
plan: plan
totalRetentionInDays: logRetentionDays
}
}]
// Has to be done as a separate module because we want to toObject a for loop
module dcr 'asimDCR.bicep' = {
name: '${deployment().name}-dcr'
params: {
dcrName: '${deployment().name}-dcr'
location: workspace.location
workspaceName: workspaceName
tableInfo: [for (table, i) in tableNames: { //Ideally would be a var but can't because of dependent reference
name: auxTables[i].name
columns: string(
filter(
filter(
map(
union(auxTables[i].properties.schema.columns, tables[i].properties.schema.standardColumns),
c => {
name: c.name
type: c.type
}
),
c => !contains(reservedColumnNames, c.name)
),
c => c.type != 'Guid')
)
}]
}
}
output dcrRuleId string = dcr.outputs.dcrRuleId
output dcrLogIngestionEndpoint string = dcr.outputs.dcrLogIngestionEndpoint
output streamNames array = dcr.outputs.streamNames
Raw
asimDCR.bicep
param dcrName string
param location string = resourceGroup().location
param workspaceName string
param tableInfo array
var workspaceReference = 'workspace'
resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
name: workspaceName
}
resource dcr 'Microsoft.Insights/dataCollectionRules@2023-03-11' = {
name: dcrName
location: location
kind: 'Direct'
properties: {
description: 'Log Analytics Ingestion Point for Auxiliary Tables'
destinations: {
logAnalytics: [
{
name: workspaceReference
workspaceResourceId: workspace.id
}
]
}
streamDeclarations: toObject(
tableInfo,
k=>'Custom-${k.name}',
v=>{columns: map(
json(v.columns),
c => {
name: c.name
// Guid is not a valid stream type even though it's a valid table type
type: replace(c.type, 'guid', 'string')
}
)}
)
dataFlows: [for table in tableInfo: {
streams: ['Custom-${table.name}']
destinations: [workspaceReference]
outputStream: 'Custom-${table.name}'
}]
}
}
output dcrRuleId string = dcr.properties.immutableId
output dcrLogIngestionEndpoint string = dcr.properties.endpoints.logsIngestion
output streamNames array = objectKeys(dcr.properties.streamDeclarations)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment