Purpose
An analyst wants to detect <adjective> behavior in <data source>. Using the <name> Azure collector to send <type> to Devo, the analyst will find <outcome>. As a result, the analyst will <verb> the <entity>, preventing them from <tactic>.
Example tables
Table | Description |
|---|---|
Authorize It
To perform the authorization, the Entra Security Administrator role is required.
Items required before authorizing an Event Hub:
Subscription containing your Azure resources.
Resource group containing your Azure resources.
Name of the region containing Azure resources. Example: East US
Entra directory.
If you have more than one set of these items, then authorize an Event Hub or each set.
Items created or used during the authorization process:
Event hub namespace
Event hub policy
In Azure Portal, search for Entra ID.
Click App registrations in the left menu and click new registration
Register the application
Search for the Event Hubs service and click on it.
Click Create.
Select the subscription and resource group corresponding to the resources that must be monitored.
Enter a name.
In the Location field, select the region containing the resources that must be monitored.
To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.
Select “Review+Create,” then “Create.”
Return to Event Hubs and open the namespace created in the previous steps.
Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.
Search for the Azure Event Hubs Data Receiver role and select it and then click Next.
Click Select members and search for the previously created App registration.
Select the Application by clicking its name.
Once the application is already listed as a selected member, click Select.
Click Review + Assign.
In the namespace, Create a shared access policy for sending data to the event hub.
Create a second shared access policy for listening to the event hub.
Open the listen policy and copy the primary connection string.
Search for and select the Monitor service.
Click the Diagnostic Settings option in the left area.
Select a resource
Add diagnostic setting
Name the diagnostic setting.
Enable metrics and logs. The options will vary.
Enable “Stream to an event hub.”
Select the namespace, hub, and policy you created.
Click Save.
Switch to the directory.
Add your Entra ID diagnostic settings. Devo recommends enabling all log options
Run It
In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.
{
"inputs": {
"azure_event_hub": {
"credentials": {},
"enabled": true,
"id": "<UNIQUE VALUE>",
"services": {
"event_hubs": {
"queues": {
"<REGION>": {
"consumer_group": "$Default",
"event_hub_connection_string": "<CONNECTION STRING>",
"event_hub_name": "<EVENT HUB>",
"namespace": "<NAMESPACE OF EVENT HUB>"
}
}
}
}
}
}
}
To check if your collector has been enabled successfully, validate it.
Secure It
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query
from TABLE where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id
Set the inactivity alert to keep track of the collector_id.