Back Arrow Back to All Integrations

Microsoft Azure Event Hub

Microsoft Azure Event Hub

Azure Integration With Blumira’s Cloud SIEM

Microsoft Event Hub is a real-time logging and data ingestion service with integration across the Microsoft Azure platform.

 

Blumira integrates with Microsoft Azure Event Hub to stream Azure cloud security event logs and alerts to the Blumira service for threat detection, alerting and actionable response.

Configuring Azure Event Hubs for Azure AD & Azure Monitor

Required Blumira Module: Microsoft Azure Event Hub

Configuring an Event Hub Namespace

  1. Go to https://portal.azure.com/ and log in.
  2. Add Event Hubs to favorites (if not already): All Services -> Search for Event Hubs, click Star.
  3. Click on “Event Hubs” (in left-most menu), then on the “+ Add” button
  4. Create a Resource Group if you do not already have an appropriate group, or, select an existing Resource Group.
  5. Choose an event hub namespace name. (It can only contain letters, numbers, and hyphens).
  6. Select the Location and Pricing tier you want to use, this will largely depend on your organization and it’s size/cost tolerance.
  7. If desired, add Availability Zone features and Tags, click Review + Create.

Click on the Event Hub you just created once Azure is done with the creation process.

  1. Click “Shared access policies” (in second-left-most menu).
  2. Click “+ Add” to add a new policy.
  3. Choose name, such as “ReadOnlyAccessKey”.
  4. Check only the Listen check box.
  5. Click Create button.
  6. Click on the policy you just created. Make a note of the connection string primary key field for later use.

Configuring an Event Hub

Note that this step is not required for all types of logs.  Some log sources automatically create their own event hub within the namespace you created above.  Blumira recommends creating an Event Hub for sake of clarity.

  1. In the Azure portal, click on “Event Hubs” (in left-most menu).
  2. Click on the event hub namespace you want to use for Blumira logs.
  3. Click “Event Hubs” (in the second-left-most menu).
  4. Click “+ Event Hub” to add a new event hub.
  5. Choose an event hub name like blumira-log-stream. (It can only contain letters, numbers, periods, hyphens, and underscores.)
  6. Leave all other defaults, like Create.

Configure Azure to Send Logs to an Event Hub

Azure Monitor

Note: Azure Monitor creates its own event hub called “insights-operational-logs”. You must still create an event hub namespace, but can skip creating an event hub.

  1. Go to https://portal.azure.com/ and log in.
  2. Click All Services, then on Subscriptions.
  3. Click on the Azure subscription you want to monitor.
  4. Click on “Resource providers”.
  5. Search for Microsoft.Insights, click on that, then click Register (button at the top).
    1. It may already be registered, if so, move onto the next step.
  6. Back in the Azure subscription that you selected in step 3, click on Monitor, then Activity Log.
  7. Click on Diagnostics Settings

  • Ensure that the correct Subscription is selected at the top of the page.
  • Click Add Diagnostic Setting
    1. Select all Log types under Category details
    2. Select Stream to an event hub
    3. Select the Subscription and namespace that the event hub is in if not prefilled
    4. Select the Event hub name, e.g., blumira-log-stream, that you made previously
    5. Select the RootManageSharedAccessKey policy
    6. Click Save at the top

  • You are now forwarding all Monitoring logs out of your Azure environment to event hub.

    • Azure AD

    Note: Azure AD can optionally create its own event hub called “insights-logs-audit”.  If you prefer to use a different event hub, you must create it first using the procedure above.

    1. Go to https://aad.portal.azure.com and log in.
    2. Click on Azure Active Directory
    3. Click on Audit Logs (in monitoring section of left menu)
    4. Scroll down the left menu and click on Add Diagnostics Setting
    5. Enter a name for this setting, such as “Blumira events”
    6. Check “Stream to an event hub”.
    7. Click Event hub Configure.
    8. Select your event hub namespace
    9. Select your event hub that you previously identified (or use default “insights-logs-audit”)
    10. Use policy RootManageSharedAccessKey.
    11. Click OK to save event hub configuration.
    12. Check “AuditLogs” and “SignInLogs”, depending on what kinds of logs you want Blumira to receive.  Blumira strongly recommends selecting both types of logs whenever possible.
    13. Click Save (at top)

    Configuring Blumira to Fetch Logs From the Event Hub

    1. Log in to app.blumira.com
    2. Go to Infrastructure / Sensors
    3. Click on the sensor where you want to poll for event hub logs.
    4. Scroll down to the Modules section and click Add Module.
    5. Choose Microsoft Azure Event Hub Module
    6. Enter in the parameters you noted down while configuring the Event Hub.
    7. Click Install.