1. Blumira Support
  2. Deploying Blumira
  3. Blumira Cloud Connectors

Quick Links

Integrating with Microsoft Azure Event Hubs

Overview

Microsoft Azure Event Hubs is a real-time logging and data ingestion service integrated across the Microsoft Azure platform. Blumira integrates with Microsoft Azure Event Hubs to stream Azure cloud security event logs and alerts to the Blumira service for threat detection, alerting, and actionable response. An active Azure subscription is required for the Event Hubs integration.

The Azure Event Hubs Cloud Connector can also be used to integrate Blumira with Microsoft Entra, Intune, 365 Defender, and Azure Monitor.

Before you begin

To configure Azure Event Hubs and send logs to Blumira from your supported data sources, complete the following steps:

Step Details Procedure
1

Create a namespace and event hub, then gather these credentials for the Blumira Cloud Connector:

  • Connection string-primary key
  • Event hub name

Configuring Azure to obtain credentials
2

Configure Blumira using the credentials you gathered.

Providing your Event Hubs credentials to Blumira
3

(Optional) Start sending logs from other products through your event hub.
Note: These extra integrations are not automated by the AzShim script and must be configured after adding the Cloud Connector.

 Sending logs through an event hub to Blumira

Configuring Azure to obtain credentials

We provide two methods for setting up and gathering credentials for your Azure Event Hub:

Important: The script and the manual option to create an event hub do not set up logging for additional products like Entra ID, Intune, or Defender. You must configure those product integrations separately after you have completed the Event Hubs integration in Blumira, regardless of which option you choose.

Running a script to create and obtain Event Hub credentials

You can use Blumira's AzShim script to automatically set up an event hub and obtain the necessary credentials for the Blumira Cloud Connector. The script automatically provisions a namespace, event hub, and Azure platform logs for logging to Blumira.

With the script, a new event hub will be created for each region, and each output from the script can be used as credentials for separate Cloud Connectors as needed. You can use the manual option instead, but it may require more effort.

Note: This script only works for NA-based regions; all other region support is subject to potential errors.

To prepare a Cloud Shell and run the AzShim script, do the following:

  1. In Azure, launch Cloud Shell from the top navigation of the portal.
    Screen Shot 2022-07-26 at 2.10.01 PM.png
    Note: This script must be run from a Bash shell with Azure CLI installed locally or through Azure Cloud Shell using Bash, which is our recommended method.
  2. If this is the first time you are using Cloud Shell, you will be prompted to select Bash or PowerShell.
  3. Click Create storage.
  4. (Optional) If you need a specialized or custom storage account, click Show advanced settings to customize the Cloud Shell configuration.
    Screen Shot 2022-07-26 at 2.58.11 PM.png
  5. Wait for the Cloud Shell to show “Succeeded” and verify that you are in the Bash environment (i.e., that Bash is selected in the environment dropdown in the left-hand side of the shell window) before proceeding with the steps below.
    Screen Shot 2022-07-26 at 2.15.15 PM.png
  6. In the Cloud Shell window, run this command: 
    git clone https://github.com/Blumira/AzShim.git
  7. After the successful clone, run the following separate commands:
    cd ./AzShim
    chmod +x ./AzShim.azcli
    ./AzShim.azcli -c
  8. Press the Enter key.
  9. Follow the prompts to select the subscription and region in which you want to deploy the event hub.
  10. Copy the primary connection string and the Event Hub Name for use in the Cloud Connector.
  11. Skip to the section Providing your Event Hub credentials to Blumira.

Manually configuring an Azure Event Hub

Configuring an Event Hubs namespace

Before configuring an event hub, you must create a namespace. To manually configure a namespace in Azure, do the following:

  1. Go to https://portal.azure.com/ and log in.
  2. Navigate to All Services > Event Hubs.
  3. On the Event Hubs page, click Create.
  4. On the Create Namespace page, under Project Details, complete the following fields:
    1. Select the subscription in which you want to create the namespace.
    2. Select an existing Resource group, or click Create new to add a resource group.
    3. In the Namespace name field, type a name for the event hub namespace (e.g., Blumiralogs).
    4. Select the Location and Pricing tier you want to use.
  5. (Optional) Add Availability Zone Features and Tags.
  6. Click Review + Create.

    Screenshot 2025-02-21 at 2.48.05 PM.png

Configuring an Event Hub

Note: This step is not required for all types of logs. Some log sources automatically create their own event hub within the namespace you created above. Blumira recommends creating an event hub to provide clarity in your configurations, including when integrating Blumira with Microsoft Defender. 

  1. In the Azure portal, click Event Hubs.
  2. Click on the event hub namespace you want to use for Blumira logs.
  3. Click Event Hubs
  4. Click + Event Hub to add a new event hub.
  5. Type an event hub name (example: blumira-log-stream).
  6. Select Create.

Screen_Shot_2022-03-17_at_1.29.27_PM.png

After Azure is done with the creation process, complete these steps to create a policy and key:

  1. Click on the event hub you just created.
  2. Click Shared access policies.
  3. Click + Add to add a new policy.
  4. Type a name, such as ReadOnlyAccessKey.
  5. Select the Listen check box.
  6. Click Create.
  7. In the Shared access policies list, click on the policy you just created.
  8. In the policy's detail window, copy and save the Connection string-primary key to use in Providing your Event Hub credentials to Blumira.

    Screenshot 2023-03-10 at 2.33.05 PM.png

Providing your Event Hub credentials to Blumira

The Cloud Connector integration requires these Azure Event Hub credentials, which you gathered above:

  • Connection string-primary key
  • Event hub name

To configure the Blumira Cloud Connector and begin logging, do the following:

  1. In Blumira, navigate to Settings > Cloud Connectors.
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, select the connector you want to add.
  4. In Cloud Connector Name, type a name that will help you identify the integration.
  5. In the remaining fields, enter the credentials you gathered in the previous steps.
  6. Click Connect.

Sending logs through an event hub to Blumira

After configuring the Event Hubs Cloud Connector in Blumira, you can configure additional log sources to stream logs through the event hub to your Blumira Cloud Connector. Complete the procedures below for the applications that your organization uses:

Sending logs from Microsoft Entra ID

Microsoft Entra ID (formerly Active Directory) logs are critical to organizations that use Defender products or have active resources within Azure, such as a subscription. These logs are also recommended if the organization uses Conditional Access and other Entra resources. Sign-in logs, Entra alerts, and more are available from this integration.

Because Entra exists outside your Azure subscription, you must configure Entra separately to point to your Event Hub and Event Hub Namespace, which you created in previous steps.

Note: Entra can optionally create its own event hub called “insights-logs-audit.”  If you prefer to use a different event hub, you must create it first using the procedure above.

To configure Entra to stream logs through your Blumira event hub, do the following:

  1. Log in to https://entra.microsoft.com/#home.

  2. Navigate to Monitoring & health > Diagnostic settings.

  3. Click + Add diagnostic setting.

  4. In the "Diagnostic setting name" box, type a name, such as “Blumira events.“

  5. Click the check box next to Stream to an event hub.

  6. Click Event hub Configure.

  7. Select your Blumira event hub namespace.

  8. Select your Blumira event hub.

  9. Use policy RootManageSharedAccessKey.

  10. Click OK to save the event hub configuration.

  11. Under Logs, select the check box for all listed categories (AuditLogs, SignInLogs, etc).
    Note: Categories appearing in the list are based on your Microsoft licensing level.

  12. Click Save at the top.

    Screen Shot 2022-09-23 at 1.24.53 PM.png

Sending logs from Azure Monitor

There are two types of Azure platform logs collected with the Azure Monitor integration: Activity logs and Resource logs. These logs give you insight into the actions taken within your Subscription such as the creation, modification, and deletion of resources, as well as the use of Azure CLI and Azure Powershell. Resource logs can take a few different forms and are not supported on all Azure resources; for example, some Compute resources and Managed Disks do not have the ability to provide audit logs and security logs. 

Note: If you used the script to automate the setup, Azure Monitor creates its own event hub called “insights-operational-logs”. You must still create an event hub namespace but can skip creating an event hub.

  1. Go to https://portal.azure.com/ and log in.
  2. Navigate to All Services > Subscriptions.
  3. Select the Azure subscription you want to monitor.
  4. Click Resource providers.
  5. Search for and select Microsoft.Insights.
  6. Click Register. (If already registered, move on to the next step.)
  7. Navigate back to the Azure subscription that you selected in Step 3.
  8. Click Activity Log.
  9. Click Export Activity Logs.

    Screenshot 2023-01-12 at 9.12.06 AM.png
  10. Click Add Diagnostic Setting and complete these steps:
    • Under Category details, click the check boxes next to all log types.
    • Under Destination details:
      • Click the Stream to an event hub check box.
      • Select or verify the event hub's Subscription and namespace.
      • Select the Event hub name (i.e., blumira-log-stream).
      • In the Event hub policy name box, select RootManageSharedAccessKey.
    • Click Save.

Related Articles