Microsoft Azure Event Hubs is a real-time logging and data ingestion service with integration across the Microsoft Azure platform.
Blumira integrates with Microsoft Azure Event Hubs to stream Azure cloud security event logs and alerts to the Blumira service for threat detection, alerting, and actionable response.
The Azure Event Hubs integration can also be used to collect logs from Microsoft Intune and Microsoft 365 Defender.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
To connect Azure Event Hubs and send logs to Blumira from your supported data sources, complete the following steps:
Use our automation script or the manual configuration option below to create a namespace and event hub, then gather these credentials for the Blumira sensor module (Step 2):
Configure the Blumira sensor module using the credentials you copied in Step 1.
Start sending logs to Blumira by connecting log sources to your event hub.
Configuring Azure to obtain credentials
We provide two methods below as options to set up and gather credentials for your Azure Event Hub. Choose one of the following methods:
- (Recommended) Running a script to create and obtain Event Hub credentials
- Manually configuring Azure and obtaining credentials
Running a script to create and obtain Event Hub credentials
You can use Blumira's AzBluMon script to automatically set up an event hub and obtain the necessary credentials for the Blumira sensor module. The pre-requisites and limitations of using the script include:
- This script must be run from a Bash shell with Azure CLI installed locally or through Azure Cloud Shell using Bash, which is our recommended method.
- This script only works with one Azure subscription at a time. If you have multiple subscriptions you will need to run it within each subscription.
- This script only works with your Azure subscription and does not integrate with Azure AD, Intune, or Defender. Those products are not included in your Azure subscription.
- All the resources you wish to monitor such as Storage Accounts, Network Security Groups, Virtual Networks, etc. need to be in the same region as your Event Hub Namespace. If you are using multiple regions for the resources you wish to monitor you must configure those manually and create a new Event Hub Namespace for those regions.
Note: You can run this script multiple times. When run again, the script will update resource diagnostic settings, if applicable. This will update logging configurations for Azure resources that were not enabled or present during the initial run. It still provides the connection string and event hub name in case you need to make any changes to the module in-app. Usually, updating the module in-app is not required unless your module was deleted between runs.
To prepare a Cloud Shell and run the script:
- In Azure, launch Cloud Shell from the top navigation of the portal.
- If this is the first time you are using Cloud Shell, you will be prompted to select Bash or Powershell.
- Click Create storage.
- (Optional) If you need a specialized or custom storage account, click Show advanced settings to customize the Cloud Shell configuration.
- Wait for the Cloud Shell to show “Succeeded” and verify that you are in the Bash environment (i.e., that Bash is selected in the environment dropdown in the left-hand side of the shell window) before proceeding with the steps below.
- In the Cloud Shell window run this command:
git clone https://github.com/Blumira/AzBluMon.git
- After the successful clone, run the following separate commands:
chmod +x ./AzBluMon.azcli
- After the prompt What is your subscription ID?, paste your subscription ID into the command line.
Note: The prompt also includes a link to help you find your subscription ID. If you have multiple subscriptions you will need to run this script separately for each subscription. Do not enter more than one subscription ID.
- Press the Enter key.
- After the prompt Where are the majority of your resources located?, type your region code. This is used to create the Event Hub namespace.
Note: Determine your Azure region code by referring to the Name column of the table provided in Current Azure Region Names - Reference. For this integration, consider the region as the place where most of your resources are located.
- Press the Enter key.
- After the prompt What would you like to name your Event Hub Namespace?, type the name you want for your namespace.
Note: You must provide a unique name for your namespace. No spaces are allowed.
- Press the Enter key.
- Copy the primary connection string and the Event Hub Name for use in Providing your Event Hub credentials to Blumira.
- Skip to Sending logs from Azure AD.
Manually configuring Azure and obtaining credentials
Manually configuring an Event Hub Namespace
To manually configure a namespace in Event Hubs:
- Go to https://portal.azure.com/ and log in.
- Click Event Hubs.
- Click Add.
- On the Basics screen, under Project Details, complete the following fields:
- Select a Resource Group (or click Create New to add a new resource group option).
- Type an event hub namespace name (example: Blumiralogs).
- Select the Location and Pricing tier you want to use.
- (Optional) Add Availability Zone Features and Tags.
- Click Review + Create.
Configuring an Event Hub
Note: This step is not required for all types of logs. Some log sources automatically create their own event hub within the namespace you created above. Blumira recommends creating an event hub to provide clarity in your configurations, including when integrating Blumira with Microsoft Defender.
- In the Azure portal, click Event Hubs.
- Click on the event hub namespace you want to use for Blumira logs.
- Click Event Hubs
- Click + Event Hub to add a new event hub.
- Type an event hub name (example: blumira-log-stream).
- Select Create.
After Azure is done with the creation process, complete these steps:
- Click on the event hub you just created.
- Click Shared access policies.
- Click + Add to add a new policy.
- Type a name, such as ReadOnlyAccessKey.
- Select the Listen check box.
- Click Create.
- In the Shared access policies list, click on the policy you just created.
- In the policy's detail window, copy and save the Connection string-primary key for use in later steps.
Providing your Event Hub credentials to Blumira
The Event Hubs integration requires the Azure Event Hubs sensor module in Blumira, configured with these Event Hub credentials, which you gathered above:
- Connection string-primary key
- Event Hub Name
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the relevant module.
- Enter the credentials that you gathered in previous steps.
- (Optional) Type a name for this log deployment in the Log Source Name box.
Note: Use alphanumeric characters, periods, and hyphens. Spaces and underscores are not allowed. This name will appear in the "device_address" column in the results of your event data queries. If you add more modules to collect logs for other integrations, this name will help you to identify them.
- Click Install.
Requirement: If you filter your outbound traffic, you need to allow the following ports for Event Hubs communication and authentication:
Sending logs through an Event Hub to Blumira
After configuring the Event Hubs module in Blumira, you must configure your log source applications so that they send logs through the event hub to your Blumira sensor module. Complete the procedures below for the applications that your organization uses:
Sending logs from Azure Monitor
There are two types of Azure platform logs collected with this integration: Activity logs and Resource logs. These logs give you insight into the actions taken within your Subscription such as the creation, modification, and deletion of resources, as well as the use of Azure CLI and Azure Powershell. Resource logs can take a few different forms and are not supported on all Azure resources; for example, some Compute resources and Managed Disks do not have the ability to provide audit logs and security logs.
Note: If you used the script to automate the setup, Azure Monitor creates its own event hub called “insights-operational-logs”. You must still create an event hub namespace but can skip creating an event hub.
- Go to https://portal.azure.com/ and log in.
- Navigate to All Services > Subscriptions.
- Select the Azure subscription you want to monitor.
- Click Resource providers.
- Search for and select Microsoft.Insights.
- Click Register. (If already registered, move on to next the step.)
- Navigate back to the Azure subscription that you selected in Step 3.
- Click Monitor.
- Click Activity Log.
- Click Export Activity Logs.
- Click Add Diagnostic Setting and complete these steps:
- Under Category details, click the check boxes next to all log types.
- Under Destination details:
- Click the Stream to an event hub check box.
- Select or verify the event hub's Subscription and namespace.
- Select the Event hub name (i.e., blumira-log-stream).
- In the Event hub policy name box, select RootManageSharedAccessKey.
- Click Save.
Sending logs from Azure AD
Azure AD logs are critical to organizations that use Defender products or have active resources within Azure such as a subscription. These logs are also recommended if the organization uses Conditional Access and other Azure AD resources. Sign-in logs, Azure AD alerts, and more are available from this integration.
Because Azure AD exists outside of your Azure subscription, you must configure Azure AD separately to point to your Event Hub and Event Hub Namespace, which you created manually or via the automated script in previous steps.
Note: Azure AD can optionally create its own event hub called “insights-logs-audit”. If you prefer to use a different event hub, you must create it first using the procedure above.
- Go to https://aad.portal.azure.com and log in.
- Click Azure Active Directory.
- Click Audit Logs (in monitoring section of left menu).
- Scroll down the left menu and click Add Diagnostics Setting.
- Enter a name for this setting, such as “Blumira events“.
- Select Stream to an event hub.
- Click Event hub Configure.
- Select your event hub namespace.
- Select the event hub that you previously identified (or use default “insights-logs-audit”).
- Use policy RootManageSharedAccessKey.
- Click OK to save the event hub configuration.
- Select the check box for all of the available log categories (AuditLogs, SignInLogs, etc).
Note: Categories appear based on your Microsoft licensing level.
Note: Azure AD must be configured manually to point to your Event Hub and Event Hub Namespace that was created manually or via the automated script. This is due to Azure AD existing outside of your Azure subscription.
- Click Save (at the top).