Enable Eventhub output for Central CAs

[bigj51]

Enable Eventhub output for Central CAs

Description

Currently Eventhub is only supported for ad-hoc and SDL scans. It would be nice to have this feature for central mode CAs as well, to be able to action in real time.

I'm currently running 100 CAs in central mode to scan 900+ subscriptions with over 1 million+ resources. While i can run jobs against the LAW to perform actions, it would be nice to fit this into a real time automation system

Steps to reproduce

N/A

Expected behavior

Central mode CAs write events to an Eventhub

Actual behavior

Not support in CAs

[bigj51]

For anyone wanting to know how to do this:

Prereq:

• AzSK deployed in Multi CA Central Mode
• EventHub

Steps:

1. Add an encrypted automation variable to the CA automation account named "eh_conn":
   New-AzAutomationVariable -Encrypted $True -AutomationAccountName <your value> -Name "eh_conn" -ResourceGroupName <your value> -Value "{'EventHubNamespace' : '<your value>', 'EventHubName' : '<your value>', 'EventHubSendKeyName' : '<your value>','EventHubSendKey' : '<your value>'}"

2. Edit [org-name]\CA-Runbook\RunbookScanAgent.ps1 (defaults to desktop)

3. Find the comment "# Main ScanAgent code" (currently around line 709, ver 4.14)

4. In the "try" block add this code:
   Write-Output("SA: Setting up event hub endpoint...")
$eh_conn = Get-AutomationVariable -Name "eh_conn"
$eh_conn = $eh_conn | convertfrom-json
Set-AzSKEventHubSettings -EventHubNamespace $eh_conn.EventHubNamespace -EventHubName $eh_conn.EventHubName
-EventHubSendKeyName $eh_conn.EventHubSendKeyName -EventHubSendKey $eh_conn.EventHubSendKey #-Source "CA"
Write-Output("SA: DONE Setting up event hub endpoint")

5. Push the config to the storage account with Update-AzSKOrganizationPolicy

[ritika-msft]

Please let us know if you still have any issues here or we are good to close this issue as I can see you have already shared a solution that I believe worked for you.

Thanks,
Ritika