kenieva
commented
3 years ago Hi Mschwit, please refer to this community repo submission for guidance: https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-event-hub/azurepolicy.json.
Scenario: Want to set diagnostic settings with a deployIfNotExists policy to send Azure Activity Log data to an Event Hub. Creating the setting is possible on subscription level but not checking if the diagnostic setting already exists.
Definition
{ "policyType": "Custom", "mode": "All", "displayName": "TestExport", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Resources/subscriptions" }, "then": { "effect": "deployIfNotExists", "details": { "type": "Microsoft.Security/automations", "name": "exportToEventHub", "ResourceGroupName": "[parameters('eventHubAuthorizationRuleId')]", "deploymentScope": "subscription", "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "existenceScope": "subscription", "existenceCondition": { "allOf": [ { "field": "type", "equals": "Microsoft.Insights/diagnosticSettings" }, { "field": "name", "equals": "[parameters('settingName')]" } ] }, "deployment": { "location": "westeurope", "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "settingName": { "type": "string", "metadata": { "description": "The name of the diagnostic setting" } }, "eventHubAuthorizationRuleId": { "type": "string", "metadata": { "description": "Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." } }, "eventHubName": { "type": "string", "metadata": { "description": "Name of the Event Hub in the Event Hub namespace to stream events to" } } }, "resources": [ { "apiVersion": "2017-05-01-preview", "type": "Microsoft.Insights/diagnosticSettings", "name": "[parameters('settingName')]", "location": "global", "properties": { "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Security", "enabled": true }, { "category": "Alert", "enabled": true }, { "category": "Policy", "enabled": true } ], "eventHubName": "[parameters('eventHubName')]" } } ] }, "parameters": { "eventHubAuthorizationRuleId": { "value": "[parameters('eventHubAuthorizationRuleId')]" }, "settingName": { "value": "[parameters('settingName')]" }, "eventHubName": { "value": "[parameters('eventHubName')]" } } } } } } }, "metadata": { "category": "SIEM", "createdBy": "5de913cf-5642-4223-ab39-e63d13775808", "createdOn": "2020-12-17T14:41:17.0810146Z", "updatedBy": "5de913cf-5642-4223-ab39-e63d13775808", "updatedOn": "2021-01-12T18:01:51.6456376Z" }, "parameters": { "settingName": { "type": "String", "metadata": { "displayName": "settingName", "description": "The name of the diagnostic setting" } }, "eventHubAuthorizationRuleId": { "type": "String", "metadata": { "displayName": "eventHubAuthorizationRuleId", "description": "Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." } }, "eventHubName": { "type": "String", "metadata": { "displayName": "eventHubName", "description": "Name of the Event Hub in the Event Hub namespace to stream events to" } } }, "id": "/providers/Microsoft.Management/managementGroups/Governance/providers/Microsoft.Authorization/policyDefinitions/f883fa04-72ca-41eb-b756-1db2d5dedc14", "name": "f883fa04-72ca-41eb-b756-1db2d5dedc14", "type": "Microsoft.Authorization/policyDefinitions" }