Configure Azure Security Center using Bicep

At a few of my recent clients, I’m working on moving their infrastructure to code using Bicep. Part of that is always the configuration of Azure Security Center. Things to configure are, for example, the services for which you want to enable Azure Defender or the email notifications. This blog will describe how to do just that.

Enable Azure Defender on your subscription

Azure Defender Let’s start with Azure Defender. Enabling the paid plan for a particular feature will give you many insights on how you score in terms of security and will enable advanced threat protection for some of the services. In the portal, that looks like in the shown image. Doing that in Bicep requires the following code:

targetScope = 'subscription'

var enableSecurityCenterFor = [
  'KeyVaults'
  'SqlServers'
  'VirtualMachines'
  'StorageAccounts'
  'ContainerRegistry'
  'KubernetesService'
  'SqlServerVirtualMachines'
  'AppServices'
  'Dns'
  'Arm'
]

resource securityCenterPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in enableSecurityCenterFor: {
  name: name
  properties: {
    pricingTier: 'Standard'
  }
}]

This first sets the deployment scope to the subscription level as this is a subscription resource. It then contains a list of all the services we want to enable Azure Defender for. You might opt not to enable it for all since it might get pretty expensive. The last few lines of code use a loop to deploy the ‘Microsoft.Security/pricings’ resource for each item in the array.

Configure email notifications on your subscription

Email Notifications With Azure Defender enabled, it is time to set up where notifications should go to. A notification could, for example, be about someone logging in to your database from an unknown location. Setting up how notifications are sent through the portal is shown in the image above. To do that using Bicep, add the following snippet to the previous template.

resource securityCenterContacts 'Microsoft.Security/securityContacts@2020-01-01-preview' = {
  name: 'default'
  properties: {
    emails: '[email protected]'
    alertNotifications: {
      state: 'On'
      minimalSeverity: 'High'
    }
    notificationsByRole: {
      state: 'On'
      roles: [
          'Owner'
      ]
    }
  }
}

This will deploy the ‘Microsoft.Security/securityContacts’ resource into the subscription. As you can see, it allows you to specify the same fields as through the UI but then nicely in Bicep.