Skip to content

Instantly share code, notes, and snippets.

@yoelk

yoelk/azuredeploy.json

Created August 18, 2025 06:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save yoelk/0e8a93ad01df011c396eae93dc83c1e0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save yoelk/0e8a93ad01df011c396eae93dc83c1e0 to your computer and use it in GitHub Desktop.
Download ZIP
Azure Monitor Logs ARM Template - Temporary
Raw
azuredeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"connectorName": "$CONNECTOR_NAME",
"servicePrincipalId": "$SERVICE_PRINCIPAL_ID",
"location": "[resourceGroup().location]",
"dceName": "[concat(variables('connectorName'), '-dce')]",
"dcrName": "[concat(variables('connectorName'), '-dcr')]",
"streamName": "[concat('Custom-', variables('connectorName'), '-CommonSecurityLog')]",
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', '$WORKSPACE_NAME')]",
"dceResourceId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]",
"dcrResourceId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]",
"monitoringMetricsPublisherRoleId": "3913510d-42f4-4e42-8a64-420c390055eb",
"monitoringContributorRoleId": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"logAnalyticsContributorRoleId": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"dceRoleAssignmentId1": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dce-metrics')]",
"dceRoleAssignmentId2": "[guid(variables('dceResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dce-contributor')]",
"dcrRoleAssignmentId1": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringMetricsPublisherRoleId'), 'dcr-metrics')]",
"dcrRoleAssignmentId2": "[guid(variables('dcrResourceId'), variables('servicePrincipalId'), variables('monitoringContributorRoleId'), 'dcr-contributor')]",
"workspaceRoleAssignmentId": "[guid(variables('workspaceResourceId'), variables('servicePrincipalId'), variables('logAnalyticsContributorRoleId'), 'workspace-contributor')]"
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionEndpoints",
"apiVersion": "2022-06-01",
"name": "[variables('dceName')]",
"location": "[variables('location')]",
"properties": {
"networkAcls": {
"publicNetworkAccess": "Enabled"
}
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2022-06-01",
"name": "[variables('dcrName')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
],
"properties": {
"dataCollectionEndpointId": "[variables('dceResourceId')]",
"streamDeclarations": {
"[variables('streamName')]": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "DeviceVendor",
"type": "string"
},
{
"name": "CustomField",
"type": "dynamic"
}
]
}
},
"dataSources": {},
"destinations": {
"logAnalytics": [
{
"name": "loganalytics-dest",
"workspaceResourceId": "[variables('workspaceResourceId')]"
}
]
},
"dataFlows": [
{
"streams": [
"[variables('streamName')]"
],
"destinations": [
"loganalytics-dest"
],
"transformKql": "source | extend DeviceVendor = tostring(DeviceVendor), CustomField = todynamic(CustomField) | project TimeGenerated, DeviceVendor, CustomField",
"outputStream": "Microsoft-CommonSecurityLog"
}
]
}
},
{
"type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId1'))]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
"principalId": "[variables('servicePrincipalId')]"
}
},
{
"type": "Microsoft.Insights/dataCollectionEndpoints/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat(variables('dceName'), '/Microsoft.Authorization/', variables('dceRoleAssignmentId2'))]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionEndpoints', variables('dceName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
"principalId": "[variables('servicePrincipalId')]"
}
},
{
"type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId1'))]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringMetricsPublisherRoleId'))]",
"principalId": "[variables('servicePrincipalId')]"
}
},
{
"type": "Microsoft.Insights/dataCollectionRules/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat(variables('dcrName'), '/Microsoft.Authorization/', variables('dcrRoleAssignmentId2'))]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"
],
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('monitoringContributorRoleId'))]",
"principalId": "[variables('servicePrincipalId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[concat('$WORKSPACE_NAME', '/Microsoft.Authorization/', variables('workspaceRoleAssignmentId'))]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('logAnalyticsContributorRoleId'))]",
"principalId": "[variables('servicePrincipalId')]"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment