Versions Compared

Version Old Version 31 New Version 32
Changes made by

Virginia Camuñas Núñez

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 30

...

An analyst wants to detect unauthorized changes in Azure or Entra ID.  Using the Azure Event Hub collector to send identity and access logs to Devo, the analyst will find privilege escalation events.  As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Azure resources.

...

Table

Description

cloud.azure

Data from Event Hubs, VM Metrics, Entra ID, and other sources.

cloud.azure.service.type

For most Azure services, there is a separate table for each type of log associated with that service.

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID and Azure SQL authentication.

web.all.access

Web activity, including Azure Application Gateway.

firewall.all.traffic

Firewall activity, including Azure Firewall

network.dns

DNS activity, including Azure Firewall DNS Proxy.

Authorize It

Previous requisites

...

Access to Entra ID.

...

To perform the authorization, the Entra Security Administrator role is required.

Items required before authorizing an Event Hub:

  • Subscription containing your Azure resources.

  • Resource group containing your Azure resources.

  • Name of the region containing Azure resources. Example: East US

  • Entra directory.

If you have more than one set of these items, then authorize an Event Hub for each set.

...

Items created or used during the authorization process:

...

  1. In Azure Portal, search for Entra ID.

...

  1. image-20250206-182248.pngImage Added

  2. Click App registrations in the left menu and click new registration

...

...

  1. image-20250206-182408.pngImage Added

  2. Register the application

...

  2. Search for the Event Hubs service and click on it. 

...

  1. image-20250206-195245.pngImage Added

  2. Click Create.

    image-20250206-195421.pngImage Modified

  3. Select the subscription and resource group corresponding to the resources that must be monitored.

  4. Enter a name.

  5. In the Location field, select the region containing the resources that must be monitored.

  6. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

...

  1. image-20250206-200043.pngImage Added

  2. Select

...

  1. “Review+Create,then

...

  1. “Create.

  2. Return to Event Hubs and open the namespace created in the previous steps.

    image-20250206-200452.pngImage Modified

  3. Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.

    image-20250206-211925.pngImage Modified

  4. Search for the Azure Event Hubs Data Receiver role and select it and then click Next.

...

  1. image-20250206-212040.pngImage Added

  2. Click Select members and search for the previously created App registration.

  3. Select the Application by clicking its name.

  4. Once the application is already listed as a selected member, click Select.

...

  1. image-20250206-214343.pngImage Added

  2. Click Review + Assign.

  3. In the namespace,

...

  1. Create a shared access policy for sending data to the event hub.

    image-20250211-222119.pngImage Modified

  2. Create a second shared access policy for listening to the event hub.

    image-20250211-222210.pngImage Modified

  3. Open the listen policy and copy the primary connection string.

    image-20250211-222044.pngImage Modified

  4. Return to the event hub and check the list of consumer groups. The Devo collector must have a dedicated consumer group. Devo recommends using the $Default consumer group for the collector without allowing other entities to use the event hub.

...

  1. If the consumer group is shared with other entities, data will be lost.

    image-20250224-213601.pngImage Modified

Send Data

  • Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.

  • Enable Entra ID to get authentication data.

  • Use an SDK to send JSON data from your custom applications.

  • Use HTTPs to send JSON data.

...

For each event hub, the consumer group should only be used by one collector. If the consumer group is shared with other entities, data will be lost. To check if your collector has been enabled successfully, validate it.

Secure It

Devo Exchange provides different Alerts Packs to help you monitor Azure data:

...

Platform alert pack: Azure detects when an attacker is trying to attack Microsoft Azure environments.

an Azure alert pack. The Authentication alert pack works with Entra ID data.

...

The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall.

...

The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

See Entra ID collector.

...

Create an inactivity alert to detect interruptions in the of transfer of data transfer from the source to the event hub using the query.

Code Block
from cloud.azure
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

...