...
An analyst wants to detect <adjective> behavior in <data source>unauthorized changes in Azure or Entra ID. Using the <name> Azure Event Hub collector to send <type> identity and access logs to Devo, the analyst will find <outcome>privilege escalation events. As a result, the analyst will <verb> the <entity>, preventing them from <tactic>remove malicious accounts, preventing them from disabling or modifying Azure resources.
The Azure Event Hub collector brings data to Devo:
Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.
Entra ID, which includes authentication and role threats.
Any other kind of string or byte data, which can be sent using a simple script.
Example tables
Table | Description |
|---|---|
cloud.azure | Data from Event Hubs, VM Metrics, Entra ID, and other sources. |
cloud.azure.service.type | For most Azure services, there is a separate table for each type of log associated with that service. |
cloud.azure.ad.* | Entra ID identity and access management logs. |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
auth.all | Authentication logs, including Entra ID and Azure SQL authentication. |
web.all.access | Web activity, including Azure Application Gateway. |
firewall.all.traffic | Firewall activity, including Azure Firewall |
network.dns | DNS activity, including Azure Firewall DNS Proxy. |
Authorize It
To perform the authorization, the Entra Security Administrator role is required.
...