Versions Compared

Version Old Version 10 New Version Current
Changes made by

Laszlo Frazer

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typeflat
printabletrue

Purpose

An analyst wants to detect <adjective> behavior in <data source>unauthorized changes in Azure or Entra ID.  Using the <name> Azure Event Hub collector to send <type> identity and access logs to Devo, the analyst will find <outcome>privilege escalation events.  As a result, the analyst will <verb> the <entity>, preventing  them from <tactic>remove malicious accounts, preventing them from disabling or modifying Azure resources.

The Azure Event Hub collector gets data from:

  • Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.

  • Entra ID, which includes authentication and role threats.

  • Any other kind of JSON data, which can be sent using a simple script.

Example tables

Table

Description

Authorize It

  1. In Azure Portal, search for Entra ID.

    image-20250206-182248.pngImage Removed

...

  1. Click App registrations in the left menu and click the app (or Service Principal) that you are going to use.

    image-20250206-182408.pngImage Removed

    Register the application

  2. open Storage accounts.

...

  1. On the Storage accounts page, select Create and name the account.

...

image-20250204-231127.pngImage Removed

  1. Click “Review + Create” then “Create”

  2. After the storage account is created, select it from the list of storage accounts and click on Access keys in the left menu.

    image-20250204-231432.pngImage Removed

  3. Copy the connection string.

...

Role assignment

Alternatively, users can grant the necessary permissions to the registered application to access the Event Hub without using the RootManageSharedAccessKey. Roles can be assigned in a variety of ways (e.g. inherited from the subscription group), but the following steps will show how to assign the necessary roles directly to the Storage Account.

Repeat steps 1-2 from the Connection String section to create the Storage Account.

In the Storage Account, click Access control (IAM) in the left menu, click + Add, and click Add Role Assignment.

...

image-20250206-181825.pngImage Removed

...

Search for either the Storage Blob Data Contributor or Storage Blob Data Owner ??Storage Blob Data Reader?? role and select it and then click Next.

...

Click + Select members and search for the event hub application, select it, click Next.

...

Click Review + Assign.

Connection string

Users can either obtain a connection string or use Role Assignments to allow the collector to access the Event Hub.

...

cloud.azure

Data from Event Hubs, VM Metrics, Entra ID, and other sources.

cloud.azure.service.type

For most Azure services, there is a separate table for each type of log associated with that service.

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID and Azure SQL authentication.

web.all.access

Web activity, including Azure Application Gateway.

firewall.all.traffic

Firewall activity, including Azure Firewall

network.dns

DNS activity, including Azure Firewall DNS Proxy.

Authorize It

To perform the authorization, the Entra Security Administrator role is required.

Items required before authorizing an Event Hub:

  • Subscription containing your Azure resources.

  • Resource group containing your Azure resources.

  • Name of the region containing Azure resources. Example: East US

  • Entra directory.

If you have more than one set of these items, then authorize an Event Hub for each set.

Items created or used during the authorization process:

  1. In Azure Portal, search for Entra ID.

    image-20250206-182248.pngImage Added

  2. Click App registrations in the left menu and click new registration.

    image-20250206-182408.pngImage Added

  3. Register the application.

  4. Search for the Event Hubs service and click on it. 

    image-20250206-195245.png

    1. Create an Event Hub resource per region (repeat the steps below for each region):

  5. Click Add

    Click Create.

    image-20250206-195421.png
  6. Fill the mandatory fields keeping in mind that the Event Hub must be in the same region as the resources that you are going to monitor

    Select the subscription and resource group corresponding to the resources that must be monitored.

  7. Enter a name.

  8. In the Location field, select the region containing the resources that must be monitored.

  9. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

    image-20250206-200043.png

  10. Select “Review+Create,” then “Create.”

  11. The previous steps create an EventHub namespace; now go

    Return to Event Hubs

    , search the created one and click on it.image-20250206-200452.pngImage Removed

    • Now click on the + Event Hub button and create a new Event Hub

      image-20250206-200535.pngImage Removed

      Add a name.

    • One partition count is usually enough.

      Select the maximum retention time.

      image-20250206-202451.pngImage Removed

    • Once the Event Hub is created in the namespace, click it and select Consumer Group in the left menu. Note that a dedicated Consumer Group for Devo needs to be created if the existing consumer groups are already in use.

    Image Removed

    • Here you will see the Event Hub consumer groups. This will be used by the collector (or other applications) for reading data from the Event Hub. Write down the Consumer group name that you will use later in the configuration file.

    2024-10-31_15-27-13-20241031-142716.pngImage Removed

    • Now, in the Event Hub Namespace, click on Shared access policies, search the default policy named RootManageSharedAccessKey and click it.

    Image Removed

    • Copy and write down the primary (or secondary) connection string to be used later in the configuration file.

Role assignment

Alternatively, users can grant the necessary permissions to the registered application to access the Event Hub without using the RootManageSharedAccessKey. Roles can be assigned in a variety of ways (e.g. inherited from the subscription group), but the following steps will show how to assign the necessary roles directly to the Event Hub Namespace.

Repeat all steps except the last one from the previous section to create the Event Hub.

  1. In the Event Hub Namespace, click and open the namespace created in the previous steps.

    image-20250206-200452.pngImage Added

  2. Select Access control (IAM) in the left menu, click + Add, and click Add Access Role Assignment.

...

  1. image-20250206-211925.pngImage Added

  2. Search for

...

  1. the Azure Event Hubs Data Receiver

...

  1. role and select it and then click Next.

...

  1. image-20250206-212040.pngImage Added

  2. Click

...

  1. Select members and search for the previously created App registration

...

  1. .

  2. Select the Application by clicking its name.

  3. Once the application is already listed as a selected member, click Select.

    image-20250206-214343.pngImage Added

  4. Click Review + Assign.

...

  1. Now, search the Monitor service and click on it.

...

  1. Click the Diagnostic Settings option in the left area.

  2. A list of the deployed resources will be shown. Search for the resources that you want to monitor, select them, and click Add diagnostic setting.

...

  1. Type a name for the rule and check the required category details (logs will be sent to the cloud.azure.eh.events table, and metrics will be sent to the cloud.azure.eh.metrics table).

...

  1. Check Stream to an Event Hub, and select the corresponding Event hub namespace, Event hub name, and Event hub policy name.

...

  1. Click Save to finish the process.

...

  1. In the namespace, create a shared access policy for sending data to the event hub.

    image-20250211-222119.pngImage Added

  2. Create a second shared access policy for listening to the event hub.

    image-20250211-222210.pngImage Added

  3. Open the listen policy and copy the primary connection string.

    image-20250211-222044.pngImage Added

  4. Return to the event hub and check the list of consumer groups. The Devo collector must have a dedicated consumer group. Devo recommends using the $Default consumer group for the collector without allowing other entities to use the event hub. If the consumer group is shared with other entities, data will be lost.

    image-20250224-213601.pngImage Added

Send Data

  • Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.

  • Enable Entra ID to get authentication data.

  • Use an SDK to send JSON data from your custom applications.

  • Use HTTPs to send JSON data.

Run It

In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.

Code Block
{
  "inputs": {
    "azure_event_hub": {
      "enabled": true,
      "id": "<UNIQUE VALUE>",
      "services": {
        "event_hubs": {
          "queues": {
            "<REGION>": {
              "consumer_group": "$Default",
              "event_hub_connection_string": "<CONNECTION STRING>",
              "event_hub_name": "<EVENT HUB>",
              "namespace": "<NAMESPACE OF EVENT HUB>"
            }
          }
        }
      }
    }
  }
}

For each event hub, the consumer group should only be used by one collector. If the consumer group is shared with other entities, data will be lost. To check if your collector has been enabled successfully, validate it.

Secure It

Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

See Entra ID collector.

Azure Storage

IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

Code Block
from cloud.azure.storage.administrative
where eq(callerIpAddress,1.1.1.1)
group by operationName 
select length(collectdistinct(resourceId)) as resources

Azure App Service

Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.

Code Block
from cloud.azure.appservice.administrative
where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION")
group by identity__authorization__evidence__principalId as principal, resultType
select length(collectdistinct(resourceId)) as applications_stopped

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue event hub using the query

Code Block
from TABLEcloud.azure

where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

Select values of the product field can also be monitored for inactivity.