Closed zmoog closed 10 months ago
zmoog
commented
10 months ago I will use the RiskyUsers log category at https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/identity_protection/_dev/test/pipeline/test-rickyusers-raw.log
zmoog
commented
10 months ago ┌────────────────┐ ┌────────────────┐ ┌─────────────────────┐
│ adlogs │ │ azure-eventhub │ │ identityprotection │
│ <<event hub>> │──────────▶│ <<input>> │───────────▶│ <<data stream>> │
└────────────────┘ └────────────────┘ └─────────────────────┘
▲
│
│
│
│
│
│
│
┌────────────────┐
│ eventhubs │
│ <<cli tool>> │
└────────────────┘ I set up an agent policy:
zmoog
commented
10 months ago On the event hub namespace, I created a Shared Access Policy named eventhubs-cli-tool with the Send and Listen claims:
zmoog
commented
10 months ago Set up eventhubs and use it to send the test-rickyusers-raw.log sample file to the adlogs event hub:
export EVENTHUB_CONNECTION_STRING="Endpoint=sb://<REDACTED>.servicebus.windows.net/;SharedAccessKeyName=eventhubs-cli-tool;SharedAccessKey=<REDACTED>"
export EVENTHUB_NAMESPACE="<REDACTED>"
export EVENTHUB_NAME="adlogs"
eh eventdata send \
--lines-from-text-file ~/path/to/test-rickyusers-raw.log Gere's the docs in Elasticsearch:
I want to send some sample events from the Azure AD Identity Protection to Elasticsearch to test the dashboard.
Instead of setting up Identity Protection on Azure AD, I want to send existing sample events to the event hub using the eventhbs CLI tool.