Azure Monitor Activity Log Ingestion
Nate O'Brien
Merged in a post:
Azure Monitor Activity Log Ingestion
B
Ben McDougall
We have managed to add Azure Monitor activity to the Event Hub feed to SIEM. This pulls all admin and security events from Azure. Looks like it's working, but it would be good to have a guide on this and know if these events are being monitored by the SOC team.
Nate O'Brien
Hi Ben - are you aware of this page in our KB?
https://support.huntress.io/hc/en-us/articles/44270591946387-API-Azure-Event-Hub-Adding-Sources
Based on a very quick search, it seems to suggest that sending the Azure Monitor activity to the Event Hub should follow the same flow. If not could you let me know so we can do a bit more investigation?
With Azure Event Hub being relatively new, we're still developing identification of individual sources, parsing those sources, and determining what detections will be valuable for those sources. Regardless of the direct detections, all log source content is used as context by the SOC during investigations.