Purpose
An analyst wants to detect unauthorized changes in Azure or Entra ID. Using the Azure Event Hub collector to send identity and access logs to Devo, the analyst will find privilege escalation events. As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Azure resources.
The Azure Event Hub collector gets data from:
Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.
Entra ID, which includes authentication and role threats.
Any other kind of string data, which can be sent using a simple script.
Example tables
Table | Description |
|---|---|
Data from Event Hubs, VM Metrics, Entra ID, and other sources. | |
cloud.azure.service.type | For most Azure services, there is a separate table for each type of log associated with that service. |
cloud.azure.ad.* | Entra ID identity and access management logs. |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
Authentication logs, including Entra ID and Azure SQL authentication. | |
Web activity, including Azure Application Gateway. | |
Firewall activity, including Azure Firewall | |
DNS activity, including Azure Firewall DNS Proxy. |
Authorize It
To perform the authorization, the Entra Security Administrator role is required.
Items required before authorizing an Event Hub:
Subscription containing your Azure resources.
Resource group containing your Azure resources.
Name of the region containing Azure resources. Example: East US
Entra directory.
If you have more than one set of these items, then authorize an Event Hub for each set.
Items created or used during the authorization process:
Event hub namespace
Event hub policy
In Azure Portal, search for Entra ID.
Click App registrations in the left menu and click new registration
Register the application
Search for the Event Hubs service and click on it.
Click Create.
Select the subscription and resource group corresponding to the resources that must be monitored.
Enter a name.
In the Location field, select the region containing the resources that must be monitored.
To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.
Select “Review+Create,” then “Create.”
Return to Event Hubs and open the namespace created in the previous steps.
Select Access control (IAM) in the left menu, click Add, and click Add Access Role Assignment.
Search for the Azure Event Hubs Data Receiver role and select it and then click Next.
Click Select members and search for the previously created App registration.
Select the Application by clicking its name.
Once the application is already listed as a selected member, click Select.
Click Review + Assign.
In the namespace, Create a shared access policy for sending data to the event hub.
Create a second shared access policy for listening to the event hub.
Open the listen policy and copy the primary connection string.
Send Data
Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.
Enable Entra ID to get authentication data.
Use an SDK to send data from your custom applications.
Use HTTPs.
Run It
In the Cloud Collector App, create an Azure Collector instance using this parameters template, replacing the values enclosed in < >. The region name for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region.
{
"inputs": {
"azure_event_hub": {
"enabled": true,
"id": "<UNIQUE VALUE>",
"services": {
"event_hubs": {
"queues": {
"<REGION>": {
"consumer_group": "$Default",
"event_hub_connection_string": "<CONNECTION STRING>",
"event_hub_name": "<EVENT HUB>",
"namespace": "<NAMESPACE OF EVENT HUB>"
}
}
}
}
}
}
}
To check if your collector has been enabled successfully, validate it.
Secure It
Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.
Entra ID
See Entra ID collector.
Azure Storage
IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.
from cloud.azure.storage.administrative where eq(callerIpAddress,1.1.1.1) group by operationName select length(collectdistinct(resourceId)) as resources
Azure App Service
Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.
from cloud.azure.appservice.administrative where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION") group by identity__authorization__evidence__principalId as principal, resultType select length(collectdistinct(resourceId)) as applications_stopped
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query
from cloud.azure where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id
Set the inactivity alert to keep track of the collector_id.
Select values of the product field can also be monitored for inactivity.