fbpx
Back Arrow Back to All Integrations

Azure AD Event Hubs

Azure AD Event Hubs

Azure Integration With Blumira’s Cloud SIEM

Click here for the most updated version of this documentation.

 

Microsoft Event Hub is a real-time logging and data ingestion service with integration across the Microsoft Azure platform.

 

Blumira integrates with Microsoft Azure Event Hub to stream Azure cloud security event logs and alerts to the Blumira service for threat detection, alerting and actionable response.

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Integrating with Microsoft Azure Event Hubs

Overview

Microsoft Event Hubs is a real-time logging and data ingestion service with integration across the Microsoft Azure platform.

Blumira integrates with Microsoft Azure Event Hubs to stream Azure cloud security event logs and alerts to the Blumira service for threat detection, alerting and actionable response. Azure Event Hub can also be used with Blumira to collect Microsoft Defender data.

Before you begin

Before making changes in Blumira, you will need to complete the following:

  • Configuring Azure
    • Set up an Event Hub Namespace
    • Set up an Event Hub
    • Gather these Event Hub credentials:
      • Connection string-primary key
      • Event Hub Name
  • Sending logs to an Event Hub
    • Start sending logs from Azure Monitor to an event hub
    • Start sending logs from Azure AD to an event hub

Configuring Azure

We provide two methods below to set up and gather credentials for your Azure Event Hub. Choose one of the following methods:

Running a script to create and obtain Event Hub credentials

You can use a script to set up an Event Hub and obtain the Event Hub credentials string and namespace. The pre-requisites and limitations of using the script include:

  • This script must be run from a Bash shell with Azure CLI installed locally or through Azure Cloud Shell using Bash, which is our recommended method.
  • This script only works with one Azure subscription at a time. If you have multiple subscriptions you will need to run it within each subscription.
  • This script only works with your Azure subscription and does not integrate with Azure AD, Defender for Endpoint (Intune), or Defender. Those products are not included in your Azure subscription.

Preparing a Cloud Shell

  1. In Azure, launch Cloud Shell from the top navigation of the portal.
    Screen Shot 2022-07-26 at 2.10.01 PM.png
  2. If this is the first time you are using Cloud Shell, you will be prompted to select Bash or Powershell.
  3. Click Create storage.
  4. (Optional) If you need a specialized or custom storage account, click Show advanced settings to customize the Cloud Shell configuration.
    Screen Shot 2022-07-26 at 2.58.11 PM.png
  5. Wait for the Cloud Shell to show “Succeeded” and verify that you are in the Bash environment (that Bash is selected in the environment dropdown in the left-hand side of the shell window) before proceeding with the steps below.
    Screen Shot 2022-07-26 at 2.15.15 PM.png

Running the script

  1. In the Cloud Shell window run this command:
    git clone https://github.com/Blumira/AzBluMon.git
    Screen Shot 2022-07-29 at 9.22.18 AM.png
  2. After the successful clone, run the following separate commands:
    cd ./AzBluMon
    chmod +x ./AzBluMon.azcli
    ./AzBluMon.azcli
  3. After the prompt What is your subscription ID?, paste your subscription ID into the command line.
    Note: The prompt also includes a link to help you find your subscription ID. If you have multiple subscriptions you will need to run this script separately for each subscription. Do not enter more than one subscription ID.
    Screen Shot 2022-07-26 at 2.28.46 PM.png
  4. Press the Enter key.
  5. After the prompt Where are the majority of your resources located?, type your region code. This is used to create the Event Hub namespace.
    Note: Determine your Azure region code by referring to the Name column of the table provided in Current Azure Region Names – Reference. For this integration, consider the region as the place where most of your resources are located.
  6. Press the Enter key.
  7. After the prompt What would you like to name your Event Hub Namespace?, type the name you want for your namespace.
    Note: You must provide a unique name for your namespace. No spaces are allowed.
  8. Press the Enter key.
  9. Copy the primary connection string and the Event Hub Name for use in the final steps of the integration: Providing your Event Hub credentials to Blumira.
  10. Skip to Sending logs from Azure AD.

Manually configuring in Azure and obtaining credentials

Manually configuring an Event Hub Namespace

  1. Go to https://portal.azure.com/ and log in.
  2. Click Event Hubs.
  3. Click Add.
  4. On the Basics screen, under Project Details, complete the following fields:
    • Select a Resource Group (or click Create New to add a new resource group option).
    • Type an event hub namespace name (example: Blumiralogs).
    • Select the Location and Pricing tier you want to use.
  5. (optional) Add Availability Zone Features and Tags.
  6. Click Review + Create.

Screen_Shot_2022-03-17_at_12.56.03_PM.png

After Azure is done with the creation process, perform these steps:

  1. Click on the event hub you just created.
  2. Click Shared access policies.
  3. Click + Add to add a new policy.
  4. Type a name, such as ReadOnlyAccessKey.
  5. Select the Listen check box.
  6. Click Create.
  7. In the Shared access policies list, click on the policy you just created.
  8. In the policy’s detail window, copy and save the Connection string-primary key for use in later steps.

Configuring an Event Hub

Note: this step is not required for all types of logs. Some log sources automatically create their own event hub within the namespace you created above. Blumira recommends creating an Event Hub to provide clarity in your configurations, including when integrating Blumira with Microsoft Defender.

  1. In the Azure portal, click Event Hubs.
  2. Click on the event hub namespace you want to use for Blumira logs.
  3. Click Event Hubs
  4. Click + Event Hub to add a new event hub.
  5. Type an event hub name (example: blumira-log-stream).
  6. Select Create.

Screen_Shot_2022-03-17_at_1.29.27_PM.png

Sending Logs to an Event Hub

Sending logs from Azure Monitor

Note: If you used a scriptAzure Monitor creates its own event hub called “insights-operational-logs”. You must still create an event hub namespace, but can skip creating an event hub.

  1. Go to https://portal.azure.com/ and log in.
  2. Navigate to All Services > Subscriptions.
  3. Select the Azure subscription you want to monitor.
  4. Click Resource providers.
  5. Search for and select Microsoft.Insights.
  6. Click Register. (If already registered, move on to next the step.)
  7. Back in the Azure subscription that you selected in step 3, click on Monitor, then Activity Log.
  8. Click on Diagnostics Settings.
  9. Click Add Diagnostic Setting and complete these steps:
    • In Category details, select all Log types.
    • Select Stream to an event hub.
    • Select or verify (if pre-filled) the event hub’s Subscription and namespace.
    • Select the Event Hub Name (i.e., blumira-log-stream).
    • Select the RootManageSharedAccessKey policy.
    • Click Save. 

Sending logs from Azure AD

Note: Azure AD can optionally create its own event hub called “insights-logs-audit”.  If you prefer to use a different event hub, you must create it first using the procedure above.

  1. Go to https://aad.portal.azure.com and log in.
  2. Click on Azure Active Directory
  3. Click on Audit Logs (in monitoring section of left menu)
  4. Scroll down the left menu and click on Add Diagnostics Setting
  5. Enter a name for this setting, such as “Blumira events
  6. Check “Stream to an event hub“.
  7. Click Event hub Configure.
  8. Select your event hub namespace.
  9. Select your event hub that you previously identified (or use default “insights-logs-audit”).
  10. Use policy RootManageSharedAccessKey.
  11. Click OK to save event hub configuration.
  12. Select the check box for all log categories that you see (AuditLogs, SignInLogs, etc). Categories will appear based on your MS licensing level.
  13. Click Save (at top)

Providing your Event Hub credentials to Blumira

To add a module on an existing sensor and provide credentials:

  1. In Blumira, click Settings.
  2. Click Sensors.
  3. Click the sensor on which you want to add a module.
  4. On the detail page for the sensor, scroll down and click Add Module.
  5. In the Add New Module window, select the newest version of this integration’s module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
  6. Enter the credentials that you gathered in the “Before you begin” section above.
  7. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
  8. Click Install.

 

Firewall port requirements

If you filter your outbound traffic, you need to allow the following ports for Event Hubs communication and authentication:

  • TCP/443
  • TCP/5671
  • TCP/5672