Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)



The Oort identity security platform integrates with Azure AD tenants via the Graph API to collect user account information, device information, and sign-on and application activity.

The Microsoft Graph API is rate limited, meaning that platforms such as Oort can only pull a certain amount of data in a given interval before the API stops responding.

selIn some larger environments, Graph API does not provide enough bandwidth for the initial capture of historical user activity data (prior 30 days) or even the on-going user event data.

The solution to this limitation is to convert the sign-on activity data to an Azure Event Hub streaming model. Then the Oort platform can subscribe to that Hub and capture the events in that way. This also provides the benefit of enabling hourly notifications for event or behavioral based identity threats.

Azure Event Hub Overview

Per Microsoft documentation -

β€œAzure Event Hubs is a Big Data streaming platform and event ingestion service that can receive and process millions of events per second. Event Hubs can process and store events, data, or telemetry produced by distributed software and devices. Data sent to an event hub can be transformed and stored using any real-time analytics provider or batching/storage adapters.”

From the Microsoft Event Hubs overview page, the diagram below depicts the high-level architecture and data flow.

In this diagram, the Event Producer (green) on the left side would be the Azure AD tenant and the Event Receiver on the right side would be your unique Oort cloud tenant.

Azure Event Hub - High-level Setup Process

Estimated time to configure in Azure: under 30 min

To configure an Azure Event Hub and integrate it with Azure AD involves the following high-level steps.

Step 1 - Create an Event Hub in Azure

Open and follow these Microsoft instructions - Event Hub setup - to complete initial the initial setup of the Event Hub namespace and event hub object.

High-level steps and notes:

  1. Create a Resource Group in Azure. A Resource Group is associated with a subscription in Azure. You may already have a Resource Group associated with Azure AD or identity security that you want to use for this purpose.

Step 2 - Connect Azure AD logs to the Event Hub

Connect Azure AD logs to the Event Hub using the Microsoft instructions in this link.

High-level steps and important notes:

  1. Configure Azure AD event logs to export to your new Event Hub

  2. Save and confirm that events after visible in the Event Hub after ~15 min

Step 3 - Create a shared access key policy

Note that Shared Access Policies can be created at the Event Hub namespace level or the Event Hub object itself. In this example, we'll create a policy at the namespace level.

Step 4 - Oort Tenant Configuration for Azure Event Hub

The next step is to connect the Event Hub to the Oort tenant.

Note - this article assumes that the Azure AD data integration is already in place for your tenant. If it is not, complete that configuration first.

  1. Toggle the slider button to Use EventHub for Logs Streaming to ON.

  2. Enter the required information -

    1. EventHub Name - NOTE: this field is NOT just a display name. This name needs to match the name of the Event Hub object created under your Event Hub Namespace in Azure. In the screenshot below, you would enter dev-event-hub if that was the specific object you had created and configured.

  1. Consumer Group (if not using $Default group)

  2. Endpoint FQDN - this is typically of the form <namespace>

  3. Shared Access Policy Name

  4. Shared Access Primary Key Value

Click Save to save the configuration.

Last updated