Closed zmoog closed 10 months ago
I will use the RiskyUsers
log category at https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/identity_protection/_dev/test/pipeline/test-rickyusers-raw.log
┌────────────────┐ ┌────────────────┐ ┌─────────────────────┐
│ adlogs │ │ azure-eventhub │ │ identityprotection │
│ <<event hub>> │──────────▶│ <<input>> │───────────▶│ <<data stream>> │
└────────────────┘ └────────────────┘ └─────────────────────┘
▲
│
│
│
│
│
│
│
┌────────────────┐
│ eventhubs │
│ <<cli tool>> │
└────────────────┘
I set up an agent policy:
On the event hub namespace, I created a Shared Access Policy named eventhubs-cli-tool
with the Send and Listen claims:
Set up eventhubs and use it to send the test-rickyusers-raw.log
sample file to the adlogs
event hub:
export EVENTHUB_CONNECTION_STRING="Endpoint=sb://<REDACTED>.servicebus.windows.net/;SharedAccessKeyName=eventhubs-cli-tool;SharedAccessKey=<REDACTED>"
export EVENTHUB_NAMESPACE="<REDACTED>"
export EVENTHUB_NAME="adlogs"
eh eventdata send \
--lines-from-text-file ~/path/to/test-rickyusers-raw.log
Gere's the docs in Elasticsearch:
I want to send some sample events from the Azure AD Identity Protection to Elasticsearch to test the dashboard.
Instead of setting up Identity Protection on Azure AD, I want to send existing sample events to the event hub using the eventhbs CLI tool.