Versions Compared

Version Old Version 25 New Version 29
Changes made by

Laszlo Frazer

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Azure Event Hub collector brings gets data to Devofrom:

  • Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.

  • Entra ID, which includes authentication and role threats.

  • Any other kind of string data, which can be sent using a simple script.

...

  1. In Azure Portal, search for Entra ID.

    image-20250206-182248.png

  2. Click App registrations in the left menu and click new registration

    image-20250206-182408.png

  3. Register the application

  4. Search for the Event Hubs service and click on it. 

    image-20250206-195245.png

  5. Click Create.

    image-20250206-195421.png

  6. Select the subscription and resource group corresponding to the resources that must be monitored.

  7. Enter a name.

  8. In the Location field, select the region containing the resources that must be monitored.

  9. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

    image-20250206-200043.png

  10. Select “Review+Create,” then “Create.”

  11. Return to Event Hubs and open the namespace created in the previous steps.

    image-20250206-200452.png

  12. Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.

    image-20250206-211925.png

  13. Search for the Azure Event Hubs Data Receiver role and select it and then click Next.

    image-20250206-212040.png

  14. Click Select members and search for the previously created App registration.

  15. Select the Application by clicking its name.

  16. Once the application is already listed as a selected member, click Select.

    image-20250206-214343.png

  17. Click Review + Assign.

  18. In the namespace, Create a shared access policy for sending data to the event hub.

    image-20250211-222119.png

  19. Create a second shared access policy for listening to the event hub.

    image-20250211-222210.png

  20. Open the listen policy and copy the primary connection string.

    image-20250211-222044.png

  21. Search for and select the Monitor service.

    image-20250206-214520.pngImage Removed

  22. Click the Diagnostic Settings option in the left area.

Info

An Azure account may have thousands of resources which need diagnostic settings configured. If manually enabling the diagnostic settings is inconvenient, use PowerShell to create a policy.

...

Select a resource.

...

Add diagnostic setting.

...

Name the diagnostic setting.

...

Enable metrics and logs. The options will vary.

...

Enable “Stream to an event hub.”

...

Select the namespace, hub, and policy you created.

...

Click Save.

...

Open Entra.

...

Switch to the directory.

...

Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

...

  1. Return to the event hub and check the list of consumer groups. The Devo collector must have a dedicated consumer group. Devo recommends using the $Default consumer group for the collector without allowing other entities to use the event hub. If the consumer group is shared with other entities, data will be lost.

    image-20250224-213601.pngImage Added

Send Data

  • Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.

  • Enable Entra ID to get authentication data.

  • Use an SDK to send data from your custom applications.

  • Use HTTPs.

Run It

In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.

Code Block
{
  "inputs": {
    "azure_event_hub": {
      "enabled": true,
      "id": "<UNIQUE VALUE>",
      "services": {
        "event_hubs": {
          "queues": {
            "<REGION>": {
              "consumer_group": "$Default",
              "event_hub_connection_string": "<CONNECTION STRING>",
              "event_hub_name": "<EVENT HUB>",
              "namespace": "<NAMESPACE OF EVENT HUB>"
            }
          }
        }
      }
    }
  }
}

For each event hub, the consumer group should only be used by one collector. If the consumer group is shared with other entities, data will be lost. To check if your collector has been enabled successfully, validate it.

...

Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

Code Block
from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

A password reset or change may occur when an account is compromised.

Code Block
from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Get authentication risks detected by Microsoft.

...

See Entra ID collector.

Azure Storage

IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

...

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue event hub using the query

Code Block
from cloud.azure
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

...