Realm.Security Documentation

Appearance

Azure Event Hub

Realm Security integrates seamlessly with Azure Blob Storage, enabling intelligent routing and analysis of security event logs. Follow these concise steps to configure sending logs from your Azure Storage Accounts to Realm Security Data Fabric.

Prerequisites

  • Ensure you have administrative access to your Azure console.

Overview

  1. Azure Console: Create Microsoft Entra app registration
  2. Azure Console: Create Event Hub
  3. Azure Console: Create Storage Account and Container
  4. Azure Console: Configure Event Hub Notifications
  5. Realm Console: Setup Microsoft Sentinel output feed

1. Azure: Create Microsoft Entra app registration

  1. Log in to the Azure console
  2. Navigate to App Registrations > New registration
  3. Give the App a name and click "Register" Register
  4. Navigate to the newly created App Registration.
  5. Store the client and tenant ids. These will be later used for configuring the Azure Blob Storage input feed in the Realm console.
  6. Navigate to Manage -> Certificate and secrets. Select the Client secrets tab and select "New client secret" Client Secert
  7. Give the secret an optional description and select an expiration.
  8. Store the client secret value, as it will be used later for configuring the Azure Blob Storage input feed in the Realm console.

2. Azure: Create Event Hub

  1. Navigate to the Event Hubs page in the Azure portal.
  2. Select + Create and fill out the Basics tab:
    • Subscription/Resource Group: Select your existing group.
    • Namespace name: Give the namespace a globally unique name.
    • Region: Select the same region as your logs.
    • Pricing tier: Select any tier except basic as this tier does not support Event Grid notifications.
    • Remember to store the fully qualified namespace name (eg. your-namespace-name.servicebus.windows.net) and event hub name as these will be used for configuring the input feed in the Realm console. Create Namespace
  3. Select Review + create, then select Create.
  4. Once deployment is complete, select Go to resource.
  5. On the Namespace page, select + Event Hub from the top menu: Create Event Hub
    • Name: Give your specific Event Hub instance a name
    • Partition Count: 2 partitions is typically sufficient for most workloads. If you're concerned you may need more, refer to azure event hub partitions documentation
    • Retention: We recommend setting the retention to at least 8 hours, in case a downstream service like a SIEM has an outage.
    • Note: If you configure the event hub to use a custom consumer group (not $Default), hold on to that value as it will be used for configuring the input feed in the Realm console. Create Event Hub Form
  6. Select Review + create, then select Create.
  7. Select Access Control (IAM) from the left-hand sidebar.
  8. Click + Add and select Add role assignment. Add role assignment
  9. On the Role tab, search for and select Azure Event Hubs Data Receiver. Note: This role allows the application to read events from the hub and is required for the Realm ingestion process.
  10. On the Members tab:
  • Set Assign access to to User, group, or service principal.
  • Click + Select members.
  • In the search box, enter the Name or Client ID of the App Registration you created in Step 1.
  • Select your application from the list and click Select.
  1. Click Review + assign, then click it again to confirm the assignment

3. Azure: Sending Events to Event Hub

A. Configure Azure Activity Logs

  1. In the Azure portal, search for and select Monitor.
  2. From the left-hand menu, select Activity log, then select Export Activity Logs.
  3. Select + Add diagnostic setting.
    • Setting name: Provide a name.
    • Categories: Select the log categories you wish to monitor.
  4. Destination details:
    • Check the Stream to an event hub box.
    • Subscription: Select your subscription.
    • Event hub namespace: Select the namespace created in Step 2.
    • Event hub name: Select your specific Event Hub instance.
    • Event hub policy name: Select RootManageSharedAccessKey (or a custom policy with Send permissions).
    • Select Save.

B. Configure Microsoft Entra ID Logs (Azure AD)

  1. Navigate to Microsoft Entra ID (formerly Azure Active Directory).
  2. In the left-hand sidebar, scroll down to the Monitoring section and select Diagnostic settings.
  3. Select + Add diagnostic setting.
    • Setting name: Provide a name (e.g., realm-entra-logs-to-eventhub).
    • Logs: Select the specific logs you want to capture.
  4. Destination details:
    • Check the Stream to an event hub box.
    • Select your Subscription, Event hub namespace, and Event hub name as you did in the previous section.
    • Select Save.