Versions Compared

Version Old Version 20 New Version 31
Changes made by

Laszlo Frazer

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An analyst wants to detect unauthorized changes in Azure or Entra ID.  Using the Azure Event Hub collector to send identity and access logs to Devo, the analyst will find privilege escalation events.  As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Azure resources.

The Azure Event Hub collector brings gets data to Devofrom:

  • Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.

  • Entra ID, which includes authentication and role threats.

  • Any other kind of string or byte JSON data, which can be sent using a simple script.

Example tables

Table

Description

cloud.azure

Data from Event Hubs, VM Metrics, Entra ID, and other sources.

cloud.azure.service.type

For most Azure services, there is a separate table for each type of log associated with that service.

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID and Azure SQL authentication.

web.all.access

Web activity, including Azure Application Gateway.

firewall.all.traffic

Firewall activity, including Azure Firewall

network.dns

DNS activity, including Azure Firewall DNS Proxy.

Authorize It

...

Previous requisites

...

  • .

...

  • Subscription containing your Azure resources.

  • Resource group containing your Azure resources.

  • Name of the region containing Azure resources. Example: East US

  • Entra directory.

If you have more than one set of these items, then authorize an Event Hub for each set.

During authorizing

Items created or used during the authorization process:

...

  1. In Azure Portal, search for Entra ID.

    image-20250206-182248.pngImage Removed

...

  1. Click App registrations in the left menu and click new registration.

...

  1. Register the application.

  2. Search for the Event Hubs service and click on it. 

...

  1. Click Create.

...

  1. Select the subscription and resource group corresponding to the resources that must be monitored.

  2. Enter a name.

  3. In the Location field, select the region containing the resources that must be monitored.

  4. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

...

  1. Select

...

  1. Review+Create,

...

  1. then

...

  1. Create.

...

  2. Return to Event Hubs and open the namespace created in the previous steps.

...

  1. Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.

...

  1. Search for the Azure Event Hubs Data Receiver role and select it and then click Next.

...

  1. Click Select members and search for the previously created App registration.

  2. Select the Application by clicking its name.

  3. Once the application is already listed as a selected member, click Select.

...

  1. Click Review + Assign.

  2. In the namespace,

...

  1. create a shared access policy for sending data to the event hub.

...

  1. Create a second shared access policy for listening to the event hub.

...

  1. Open the listen policy and copy the primary connection string.

...

    ...

    Search for and select the Monitor service.

    ...

    Click the Diagnostic Settings option in the left area.

    Info

    An Azure account may have thousands of resources which need diagnostic settings configured. If manually enabling the diagnostic settings is inconvenient, use PowerShell to create a policy.

    ...

    Select a resource.

    ...

    Add diagnostic setting.

    ...

    Name the diagnostic setting.

    ...

    Enable metrics and logs. The options will vary.

    ...

    Enable “Stream to an event hub.”

    ...

    Select the namespace, hub, and policy you created.

    ...

    Click Save.

    ...

    Open Entra.

    ...

    Switch to the directory.

    ...

    Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

    ...

    1. Return to the event hub and check the list of consumer groups. The Devo collector must have a dedicated consumer group. Devo recommends using the $Default consumer group for the collector without allowing other entities to use the event hub.

    Note

    If the consumer group is shared with other entities, data will be lost.

    ...

    Send Data

    • Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.

    • Enable Entra ID to get authentication data.

    • Use an SDK to send JSON data from your custom applications.

    • Use HTTPs to send JSON data.

    Run It

    In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.

    Code Block
    {
  "inputs": {
    "azure_event_hub": {
      "credentials": {},
      "enabled": true,
      "id": "<UNIQUE VALUE>",
      "services": {
        "event_hubs": {
          "queues": {
            "<REGION>": {
              "consumer_group": "$Default",
              "event_hub_connection_string": "<CONNECTION STRING>",
              "event_hub_name": "<EVENT HUB>",
              "namespace": "<NAMESPACE OF EVENT HUB>"
            }
          }
        }
      }
    }
  }
}

    For each event hub, the consumer group should only be used by one collector. If the consumer group is shared with other entities, data will be lost. To check if your collector has been enabled successfully, validate it.

    Secure It

    Devo Exchange provides different Alerts Packs to help you monitor Azure data:

    Entra ID

    See Entra ID collector.

    Azure Storage

    IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

    Code Block
    from cloud.azure.storage.administrative
where eq(callerIpAddress,1.1.1.1)
group by operationName 
select length(collectdistinct(resourceId)) as resources

    Azure App Service

    Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.

    Code Block
    from cloud.azure.appservice.administrative
where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION")
group by identity__authorization__evidence__principalId as principal, resultType
select length(collectdistinct(resourceId)) as applications_stopped

    Monitor It

    Create an inactivity alert to detect interruptions of in the data transfer of data from the source to the SQS queue event hub using the query.

    Code Block
    from TABLE cloud.azure
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

    Set the inactivity alert to keep track of the collector_id.

    Select values of the product field can also be monitored for inactivity.