Realm.Security Documentation

Appearance

Azure Blob Storage

Realm Security integrates seamlessly with Azure Blob Storage, enabling intelligent routing and analysis of security event logs. Follow these concise steps to configure sending logs from your Azure Storage Accounts to Realm Security Data Fabric.

Prerequisites

  • Ensure you have administrative access to your Azure console.

Overview

  1. Azure Console: Create Microsoft Entra app registration
  2. Azure Console: Create Event Hub
  3. Azure Console: Create Storage Account and Container
  4. Azure Console: Configure Event Hub Notifications
  5. Realm Console: Setup Microsoft Sentinel output feed

1. Azure: Create Microsoft Entra app registration

  1. Log in to the Azure console
  2. Navigate to App Registrations > New registration
  3. Give the App a name and click "Register" Register
  4. Navigate to the newly created App Registration.
  5. Store the client and tenant ids. These will be later used for configuring the Azure Blob Storage input feed in the Realm console.
  6. Navigate to Manage -> Certificate and secrets. Select the Client secrets tab and select "New client secret" Client Secert
  7. Give the secret an optional description and select an expiration.
  8. Store the client secret value, as it will be used later for configuring the Azure Blob Storage input feed in the Realm console.

2. Azure: Create Event Hub

  1. Navigate to the Event Hubs page in the Azure portal.
  2. Select + Create and fill out the Basics tab:
    • Subscription/Resource Group: Select your existing group.
    • Namespace name: Give the namespace a globally unique name.
    • Region: Select the same region as your logs.
    • Pricing tier: Select any tier except basic as this tier does not support Event Grid notifications.
    • Remember to store the fully qualified namespace name (eg. your-namespace-name.servicebus.windows.net) and event hub name as these will be used for configuring the input feed in the Realm console. Create Namespace
  3. Select Review + create, then select Create.
  4. Once deployment is complete, select Go to resource.
  5. On the Namespace page, select + Event Hub from the top menu: Create Event Hub
    • Name: Give your specific Event Hub instance a name
    • Partition Count: 2 partitions is typically sufficient for most workloads. If you're concerned you may need more, refer to azure event hub partitions documentation
    • Retention: We recommend setting the retention to at least 8 hours, in case a downstream service like a SIEM has an outage.
    • Note: If you configure the event hub to use a custom consumer group (not $Default), hold on to that value as it will be used for configuring the input feed in the Realm console. Create Event Hub Form
  6. Select Review + create, then select Create.
  7. Select Access Control (IAM) from the left-hand sidebar.
  8. Click + Add and select Add role assignment. Add role assignment
  9. On the Role tab, search for and select Azure Event Hubs Data Receiver. Note: This role allows the application to read events from the hub and is required for the Realm ingestion process.
  10. On the Members tab:
  • Set Assign access to to User, group, or service principal.
  • Click + Select members.
  • In the search box, enter the Name or Client ID of the App Registration you created in Step 1.
  • Select your application from the list and click Select.
  1. Click Review + assign, then click it again to confirm the assignment

3. Azure: Create Storage Account and Container

  1. Navigate to Storage accounts and select + Create.
  2. Under the Basics tab:
    • Storage account name: Enter a unique name for your storage account.
    • Region: Match your Event Hub region.
    • Performance: Select the performance, we recommend Standard.
    • Redundancy: Select the level of redundancy you require.
  3. Select Review + create, then select Create.
    • Remember to store the storage account endpoint found by navigate to JSON View and under primaryEndpoints select the blob endpoint. Do not include the https:// prefix if it is included. JSON ViewStorage Account Endpoint
  4. Once created, navigate to the storage account and select Data storage > Containers from the left-hand menu.
  5. Select + Container, name it (e.g., security-logs), and set the public access level to Private.
    • Remember to store the name you gave the container, as it will be used to configure the input feed in the Realm console.
  6. Select Create.
  7. Select Access Control (IAM) from the left-hand sidebar.
  8. Click + Add and select Add role assignment.
  9. On the Role tab, search for and select Storage Blob Data Contributor.
  10. On the Members tab:
  • Set Assign access to to User, group, or service principal.
  • Click + Select members.
  • Search for the Name or Client ID of the App Registration created in Step 1.
  1. Select your application and click Select.
  2. Click Review + assign, then click it again to confirm.

4. Azure Console: Configure Event Hub Notifications

  1. Navigate to your Storage Account page.
  2. On the left sidebar, select Events.
  3. Select + Event Subscription at the top.
  4. Fill out the Basic tab:
    • Name: Give the subscription a name.
    • Event Schema: Select Event Grid Schema.
    • System Topic Name: Provide a name
    • Filter to Event Types: Uncheck all and select only Blob Created.
  5. Under Endpoint Details:
    • Endpoint Type: Select Event Hubs.
    • Click Select an endpoint and choose your Subscription, Namespace, and the Event Hub created in Step 2.
  6. Click Confirm Selection.
  7. Select the Filters tab to provide a Subject Begins With filter (e.g., /blobServices/default/containers/security-logs/) if you only want to send logs from specific container.
  8. Select Create. Azure will now automatically send a notification to the Event Hub every time a new log file is uploaded to the container.

5. Realm Console: Configure Azure Blob Storage Input Feed

  1. Select the source you would like to connect with the Azure Blob Storage Input Feed and select the "+" button above the input feeds for the source.
  2. Assign a name and description to the input feed, then for method select Azure Blob Storage.
  3. Fill out the form:
    • Storage account: the url of the storage account you stored in step 3.
    • Container name: the name of your storage container that you stored in step 3.
    • Event Hub Namespace URL: the fully qualified namespace (eg. your-namespace-name.servicebus.windows.net) of your event hub namespace from step 2.
    • Event Hub Name: the name of the event hub you created in step 2.
    • Tenant ID: tenant id of your app registration from step 1.
    • Client ID: client of your app registration from step 1.
    • Client Secret: client secret of your app registration from step 1.
  4. Click + Add.