Azure Event Hub collector
- Laszlo Frazer
Purpose
An analyst wants to detect unauthorized changes in Azure or Entra ID. Using the Azure Event Hub collector to send identity and access logs to Devo, the analyst will find privilege escalation events. As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Azure resources.
The Azure Event Hub collector gets data from:
Azure Monitor, which includes auditing, metrics, and logs of all Azure cloud computing services.
Entra ID, which includes authentication and role threats.
Any other kind of JSON data, which can be sent using a simple script.
Example tables
Table | Description |
|---|---|
Data from Event Hubs, VM Metrics, Entra ID, and other sources. | |
cloud.azure.service.type | For most Azure services, there is a separate table for each type of log associated with that service. |
Entra ID identity and access management logs. | |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
cloud.azure.ah.alert_info | Alerts for threats impacting Microsoft services with intelligence from Advanced Hunting. |
Authentication logs, including Entra ID and Azure SQL authentication. | |
Web activity, including Azure Application Gateway. | |
Firewall activity, including Azure Firewall. | |
DNS activity, including Azure Firewall DNS Proxy. |
Authorize It
It will take several hours to configure Azure.
To perform the authorization, the Entra Security Administrator role is required.
Items required before authorizing an Event Hub:
Subscription containing your Azure resources.
Resource group containing your Azure resources.
Name of the region containing Azure resources. Example: East US
Entra directory.
If you have more than one set of these items, then authorize an Event Hub for each set.
Items created or used during the authorization process:
Event hub namespace
Event hub policy
In Azure Portal, search for the Event Hubs service and click on it.
Click Create to add a namespace.
Select the subscription and resource group corresponding to the resources that must be monitored.
Enter a name.
In the Location field, select the region containing the resources that must be monitored.
To capture Blob or Data Lake, see How Event Hubs Capture is charged to select a tier. Otherwise, select the cheapest tier and one throughput unit. If you need more resources, they can be added later.
Select “Review+Create,” then “Create.”
Return to Event Hubs and open the namespace created in the previous steps.
In the namespace, create a shared access policy for sending data to the event hub.
Create a second shared access policy for listening to the event hub.
Open the listen policy and copy the primary connection string.
Go to Overview and add an event hub.
Name the event hub.
Select 32 partitions.
Set the retention time to the maximum.
Review + Create and then Create.
Return to the event hub and check the list of consumer groups. The Devo collector must have a dedicated consumer group. Devo recommends using the
$Defaultconsumer group for the collector without allowing other entities to use the event hub. If the consumer group is shared with other entities, data will be lost.
Send Data
Enable Monitor to get audit, reliability, metrics, and Microsoft recommendation data.
Enable Entra ID to get authentication data.
Query your Defender endpoint data with Advanced Hunting and send the results.
Use an SDK to send JSON data from your custom applications.
Use HTTPs to send JSON data.
Run It
In the Cloud Collector App, create an Azure Collector instance. Remove the default collector parameters and insert this parameters template, replacing the values enclosed in < >. The <REGION> for each event hub will be logged in the region field of cloud.azure. It is not required to be your Azure region. Only alphanumeric regions are supported. The id must be five digits.
{
"inputs": {
"azure_event_hub": {
"enabled": true,
"id": "<5 UNIQUE DIGITS>",
"services": {
"event_hubs": {
"queues": {
"<REGION>": {
"consumer_group": "$Default",
"event_hub_connection_string": "<CONNECTION STRING>",
"event_hub_name": "<EVENT HUB>",
"namespace": "<NAMESPACE OF EVENT HUB>"
}
}
}
}
}
}
}
For each event hub, the consumer group should only be used by one collector. If the consumer group is shared with other entities, data will be lost. To check if your collector has been enabled successfully, validate it.
Secure It
Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.
Entra ID
See Entra ID collector.
Azure Storage
IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.
from cloud.azure.storage.administrative
where eq(callerIpAddress,1.1.1.1)
group by operationName
select length(collectdistinct(resourceId)) as resourcesAzure App Service
Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.
from cloud.azure.appservice.administrative
where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION")
group by identity__authorization__evidence__principalId as principal, resultType
select length(collectdistinct(resourceId)) as applications_stoppedMonitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query
from cloud.azure
where toktains(hostchain,"collector-")
select split(hostchain,"-",1) as collector_idSet the inactivity alert to keep track of the collector_id.
Select values of the product field can also be monitored for inactivity.