Content Comparison

...

1. In Azure Portal, search for Entra ID.

   

2. Click App registrations in the left menu and click new registration

   

3. Register the application

4. Search for the Event Hubs service and click on it. 

   

5. Click Create.

   

6. Select the subscription and resource group corresponding to the resources that must be monitored.

7. Enter a name.

8. In the Location field, select the region containing the resources that must be monitored.

9. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

   

10. Select “Review+Create,” then “Create.”

11. Return to Event Hubs and open the namespace created in the previous steps.

    

12. Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.

    

13. Search for the Azure Event Hubs Data Receiver role and select it and then click Next.

    

14. Click Select members and search for the previously created App registration.

15. Select the Application by clicking its name.

16. Once the application is already listed as a selected member, click Select.

    

17. Click Review + Assign.

18. In the namespace, Create a shared access policy for sending data to the event hub.

    

19. Create a second shared access policy for listening to the event hub.

    

20. Open the listen policy and copy the primary connection string.

    

21. Search for and select the Monitor service.

    Image Removed

22. Click the Diagnostic Settings option in the left area.

...

Select a resource.

...

Add diagnostic setting.

...

Name the diagnostic setting.

...

Enable metrics and logs. The options will vary.

...

Enable “Stream to an event hub.”

...

Select the namespace, hub, and policy you created.

...

Click Save.

...

Open Entra.

...

Switch to the directory.

...

Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

...

Send Data

• Enable Monitor to get audit, reliability, and

• Enable Entra ID to get authentication data.

• Use an SDK to send data from your custom applications.

• Use HTTPs.

Run It

In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.

...

Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

A password reset or change may occur when an account is compromised.

from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Get authentication risks detected by Microsoft.

...

See Entra ID collector.

Azure Storage

IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

...