bigj51
commented
3 years ago For anyone wanting to know how to do this:
Prereq:
- AzSK deployed in Multi CA Central Mode
- EventHub
Steps:
-
Add an encrypted automation variable to the CA automation account named "eh_conn":
New-AzAutomationVariable -Encrypted $True -AutomationAccountName <your value> -Name "eh_conn" -ResourceGroupName <your value> -Value "{'EventHubNamespace' : '<your value>', 'EventHubName' : '<your value>', 'EventHubSendKeyName' : '<your value>','EventHubSendKey' : '<your value>'}" -
Edit [org-name]\CA-Runbook\RunbookScanAgent.ps1 (defaults to desktop)
-
Find the comment "# Main ScanAgent code" (currently around line 709, ver 4.14)
-
In the "try" block add this code:
Write-Output("SA: Setting up event hub endpoint...")$eh_conn = Get-AutomationVariable -Name "eh_conn"$eh_conn = $eh_conn | convertfrom-jsonSet-AzSKEventHubSettings -EventHubNamespace $eh_conn.EventHubNamespace -EventHubName $eh_conn.EventHubName-EventHubSendKeyName $eh_conn.EventHubSendKeyName -EventHubSendKey $eh_conn.EventHubSendKey #-Source "CA"Write-Output("SA: DONE Setting up event hub endpoint") -
Push the config to the storage account with
Update-AzSKOrganizationPolicy
ritika-msft
Enable Eventhub output for Central CAs
Description
Currently Eventhub is only supported for ad-hoc and SDL scans. It would be nice to have this feature for central mode CAs as well, to be able to action in real time.
I'm currently running 100 CAs in central mode to scan 900+ subscriptions with over 1 million+ resources. While i can run jobs against the LAW to perform actions, it would be nice to fit this into a real time automation system
Steps to reproduce
N/A
Expected behavior
Central mode CAs write events to an Eventhub
Actual behavior
Not support in CAs