Blog Post

FastTrack for Azure
17 MIN READ

Generate Azure Policy Compliance Alerts By Sending Custom Data to Log Analytics - Part 1

DJBartles's avatar
DJBartles
Icon for Microsoft rankMicrosoft
Dec 02, 2022
Update:  Part 2 of this Blog series is available, utilizing a more streamlined architecture, and provides automation code to deploy the whole solution.  If you are interested in this solution, be sur...
Updated Sep 09, 2024
Version 13.0
Infra
ChristopheHumbert's avatar
ChristopheHumbert
Bronze Contributor
May 26, 2023

Hello

I have succeeded in having it working

You can use either a system assigned managed identity or user assigned managed identity (below you have an user assigned MI)

Give MI the rights given to the App in the blog post and you don't need app registration nor key vault

 

param($EventGridEvent, $TriggerMetaData)
############### BEGIN USER SPECIFIED VARIABLES ###############
############### Please fill in values for all Variables in this section. ###############
$ClientId = 'xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'
# Specify the name of the LAW Table that you will be sending data to
$Table = "Zzzzzzzzz_CL"

# Specify the Immutable ID of the DCR
$DcrImmutableId = "dcr-yyyyyyyyyyyyyyyyyyyyyyyy"

# Specify the URI of the DCE
$DceURI = "https://xxxxxxxxxxxxxxxxxxxxx.ingest.monitor.azure.com"

# Login to Azure as the Azure FUnction Managed Identity and Grab the Secret from the Keyvault
Connect-AzAccount -Identity -AccountId $ClientId

## Obtain a bearer token used to authenticate against the data collection endpoint
#Method 1 with Resource URI and MSI Azure Function Endpoint
$resourceURI = "https://monitor.azure.com/"
#$resourceURI = "https://management.azure.com"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&client_id=$ClientId&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$bearerToken = $tokenResponse.access_token
#Method 2 with Get-AzAccessToken
$bearerToken2 = Get-AzAccessToken -ResourceUrl "https://monitor.azure.com/"

############### END USER SPECIFIED VARIABLES ###############
# JSON Value
$json = @"
[{  "res_id": "$($EventGridEvent.id)",
    "topic": "$($EventGridEvent.topic)",
    "subject": "$($EventGridEvent.subject)",
    "eventtime": "$($EventGridEvent.eventTime)",
    "event_type": "$($EventGridEvent.eventType)",
    "compliancestate": "$($EventGridEvent.data.complianceState)",
    "compliancereasoncode": "$($EventGridEvent.data.complianceReasonCode)",
    "policydefinitionid": "$($EventGridEvent.data.policyDefinitionId)",
    "policyassignmentid": "$($EventGridEvent.data.policyAssignmentId)",
    "subscriptionid": "$($EventGridEvent.data.subscriptionId)",
    "timestamp": "$($EventGridEvent.data.timestamp)"
}]
"@

# Sending the data to Log Analytics via the DCR!
$body = $json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;
#$uploadResponse | Out-String | Write-Host

 

 

You have two options to get the access token

 

Enjoy

Christophe