Skip to content
/ policyloaderoms Public

a script to load policy definition objects into oms for later use with queries

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ivanthelad/policyloaderoms

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
entryload.sh
entryload.sh
 
 
hello
hello
 
 
importjson.py
importjson.py
 
 
policy.PNG
policy.PNG
 
 

Repository files navigation

policyloaderoms

a script to load policy definition objects into oms for later use with queries

The script creates a table called policyname_CL in the target oms workspace it can be used as basis for policy analytics. the following scripts joins the azureActivity table to the policyname table

let policynames = policyname_CL  | summarize by displayName_s, name_g;
AzureActivity
| where ( Type == "AzureActivity" )
| where ( Category == "Policy" )
| extend js = extractjson("$.[0].policyDefinitionEffect", tostring(parse_json(Properties).policies)) 
| extend nameid = extractjson("$.[0].policyDefinitionName", tostring(parse_json(Properties).policies)) 
| join kind=inner    ( policynames) on  $left.nameid == $right.name_g
| summarize  count ()  by  displayName_s, bin(TimeGenerated, 1d)
| render  barchart

Policy

Parameters and configuration

The container is configured using environment varaibles

SUBSCRIPTION

The subscription where the the servers are running.
To get the subscription id execute ```az account list -o table``

SP_ID

the serivce principle app_id. The service principle is used to query the api for the VM ip addresses. To create a new Service principle that only has readonly rights

az ad sp create-for-rbac --role=Reader this command will output the following. Where app_id can is passed as the SP_ID environment variable. It is recommend to note the information down

{
  "appId": "XXXXXXX",
  "displayName": "XXXXX",
  "name": "XXXXX",
  "password": "XXXXXXX",
  "tenant": "XXXXXXX"
}

For more info on service principle creation see https://docs.microsoft.com/en-us/cli/azure/ad/sp#create-for-rbac

SP_PASSWORD

This is the password of the service principle output from the previous step

SP_TENANT

This is the TENANT of the service principle output from the previous step

building

run docker -t policyloaderoms .

Running

docker run policyloaderoms
-e SUBSCRIPTION=XXXX
-e SP_ID=XXXX
-e SP_PASSWORD=XXXX
-e SP_TENANT=XXXX
-e WORKSPACE_ID=XXXx
-e WORKSPACE_KEY=XXXX

Running using ACI

The container is pushed to dockerhub under https://hub.docker.com/r/ivmckinl/policyloaderoms/ and can be run using azure container instances

 az container create      \
 	--resource-group devmachine     \
	--name policyloaderoms     \
	--image ivmckinl/policyloaderoms:latest \
	--restart-policy OnFailure      \
	--environment-variables SUBSCRIPTION=XXXX  SP_ID=XXX SP_PASSWORD=XXX  SP_TENANT=XXX  WORKSPACE_ID=XXX

About

a script to load policy definition objects into oms for later use with queries

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages