Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 24 Next »

Purpose

An analyst wants to detect unauthorized changes in Azure or Entra ID.  Using the Azure Event Hub collector to send identity and access logs to Devo, the analyst will find privilege escalation events.  As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Azure resources.

The Azure Event Hub collector brings data to Devo:

  • Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.

  • Entra ID, which includes authentication and role threats.

  • Any other kind of string or byte data, which can be sent using a simple script.

Example tables

Table

Description

cloud.azure

Data from Event Hubs, VM Metrics, Entra ID, and other sources.

cloud.azure.service.type

For most Azure services, there is a separate table for each type of log associated with that service.

cloud.azure.ad.*

Entra ID identity and access management logs.

cloud.azure.ad.signin_all

This union table combines all the different Entra ID authentication logs.

auth.all

Authentication logs, including Entra ID and Azure SQL authentication.

web.all.access

Web activity, including Azure Application Gateway.

firewall.all.traffic

Firewall activity, including Azure Firewall

network.dns

DNS activity, including Azure Firewall DNS Proxy.

Authorize It

To perform the authorization, the Entra Security Administrator role is required.

Items required before authorizing an Event Hub:

  • Subscription containing your Azure resources.

  • Resource group containing your Azure resources.

  • Name of the region containing Azure resources. Example: East US

  • Entra directory.

If you have more than one set of these items, then authorize an Event Hub for each set.

Items created or used during the authorization process:

  1. In Azure Portal, search for Entra ID.

    image-20250206-182248.png

  2. Click App registrations in the left menu and click new registration

    image-20250206-182408.png

  3. Register the application

  4. Search for the Event Hubs service and click on it. 

    image-20250206-195245.png

  5. Click Create.

    image-20250206-195421.png

  6. Select the subscription and resource group corresponding to the resources that must be monitored.

  7. Enter a name.

  8. In the Location field, select the region containing the resources that must be monitored.

  9. To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.

    image-20250206-200043.png

  10. Select “Review+Create,” then “Create.”

  11. Return to Event Hubs and open the namespace created in the previous steps.

    image-20250206-200452.png

  12. Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.

    image-20250206-211925.png

  13. Search for the Azure Event Hubs Data Receiver role and select it and then click Next.

    image-20250206-212040.png

  14. Click Select members and search for the previously created App registration.

  15. Select the Application by clicking its name.

  16. Once the application is already listed as a selected member, click Select.

    image-20250206-214343.png

  17. Click Review + Assign.

  18. In the namespace, Create a shared access policy for sending data to the event hub.

    image-20250211-222119.png

  19. Create a second shared access policy for listening to the event hub.

    image-20250211-222210.png

  20. Open the listen policy and copy the primary connection string.

    image-20250211-222044.png

  21. Search for and select the Monitor service.

    image-20250206-214520.png

  22. Click the Diagnostic Settings option in the left area.

An Azure account may have thousands of resources which need diagnostic settings configured. If manually enabling the diagnostic settings is inconvenient, use PowerShell to create a policy.

  1. Select a resource.

    image-20250206-215233.png

  2. Add diagnostic setting.

    image-20250206-215402.png

  3. Name the diagnostic setting.

  4. Enable metrics and logs. The options will vary.

  5. Enable “Stream to an event hub.”

  6. Select the namespace, hub, and policy you created.

    image-20250206-223615.png

  7. Click Save.

  8. Open Entra.

  9. Switch to the directory.

    image-20250211-222523.png

  10. Add your Entra ID diagnostic settings. Devo recommends enabling all log options.

  11. If it is necessary to monitor resources that have not been created yet, create a policy in PowerShell.

Run It

In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.

{
  "inputs": {
    "azure_event_hub": {
      "enabled": true,
      "id": "<UNIQUE VALUE>",
      "services": {
        "event_hubs": {
          "queues": {
            "<REGION>": {
              "consumer_group": "$Default",
              "event_hub_connection_string": "<CONNECTION STRING>",
              "event_hub_name": "<EVENT HUB>",
              "namespace": "<NAMESPACE OF EVENT HUB>"
            }
          }
        }
      }
    }
  }
}

To check if your collector has been enabled successfully, validate it.

Secure It

Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

A password reset or change may occur when an account is compromised.

from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Get authentication risks detected by Microsoft.

from cloud.azure.ad.signin_all 
where not eq(risk_state,"none"), isnotnull(risk_state) 
group by user, risk_state, risk_detail

Azure Storage

IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

from cloud.azure.storage.administrative
where eq(callerIpAddress,1.1.1.1)
group by operationName 
select length(collectdistinct(resourceId)) as resources

Azure App Service

Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.

from cloud.azure.appservice.administrative
where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION")
group by identity__authorization__evidence__principalId as principal, resultType
select length(collectdistinct(resourceId)) as applications_stopped

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.azure
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

Select values of the product field can also be monitored for inactivity.

  • No labels