Events Streaming

--- title: Events Streaming tags: theme description: Use `{%hackmd theme-dark %}` syntax to include this theme. --- <style> html, body, .ui-content { background-color: #333; color: #ddd; } .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6 { color: #ddd; } .markdown-body h1, .markdown-body h2 { border-bottom-color: #ffffff69; } .markdown-body h1 .octicon-link, .markdown-body h2 .octicon-link, .markdown-body h3 .octicon-link, .markdown-body h4 .octicon-link, .markdown-body h5 .octicon-link, .markdown-body h6 .octicon-link { color: #fff; } .markdown-body img { background-color: transparent; } .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: white; border-left: 2px solid white; } .expand-toggle:hover, .expand-toggle:focus, .back-to-top:hover, .back-to-top:focus, .go-to-bottom:hover, .go-to-bottom:focus { color: white; } .ui-toc-dropdown { background-color: #333; } .ui-toc-label.btn { background-color: #191919; color: white; } .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: white; border-left: 1px solid white; } .markdown-body blockquote { color: #bcbcbc; } .markdown-body table tr { background-color: #5f5f5f; } .markdown-body table tr:nth-child(2n) { background-color: #4f4f4f; } .markdown-body code, .markdown-body tt { color: #eee; background-color: rgba(230, 230, 230, 0.36); } a, .open-files-container li.selected a { color: #5EB7E0; } </style> # Architecture Support: Event Streaming This is a support for the architecture that is offered for streaming a variety of logs from numerous sources in order to track events and exert more control over what is happening. ![](https://i.imgur.com/cpAg7AI.png) **The architecture-related potential event destinations are listed below.** ## **Platform** - Azure: AAD and Azure Services - Azure Information Protection - Advanced Threat Protection - Office 365 ## **Resources** - Vnet - Storage - Containers - Databases - VirtualMachines ## **Application** - **Custom Syslogs**: The ability to send logs using Syslog is available in a number of SaaS services and applications. **Note:** Network devices can communicate with a logging server using a standard message format by using the System Logging Protocol (Syslog). It was created specifically to make monitoring network devices simple. A Syslog agent can be used by devices to send notification messages in a variety of distinct circumstances. --- # Core Events Services ## 1- Security Event Hub Azure Event Hubs is a big data streaming platform that also serves as an event ingestion service. It is capable of receiving and processing millions of events per second. The event hubs are simply provisioned through the portal, which provides you with the endpoints. You can then begin sending messages to those endpoints via HTTPS or AMQP. The collected (ingested) data is then stored in the event hubs, from which you can read it using readers at a later time. The data is automatically kept around for a while. This service will assist in collecting a wide variety of logs related to our architecture such as: - Active Directory Logs - Azure Activity Logs - SysLogs: Custom Application, Linux and Windows VMs ### ⚠️ Events Destination: **QRadar** IBM(r) QRadar is a security software platform that can assist a security analyst in his daily activities. It prioritizes events that occur in a network and should be attended to. QRadar focuses on the security analyst in this way. When billions of events pass by in a day, it tells the analyst which ones are important to look at. In our case, we can use this powerful IBM tool to **stream all of the above logs.** [Get Started with QRadar](https://www.ibm.com/docs/en/qsip/7.4?topic=started-getting-in-qradar) --- ## 2- Security Log Analytics Workspace Log Analytics Workspace functions as a logical storage unit in which you can easily store, retain, and query data collected from various resources monitored in Azure to provide valuable insights for those resources. You can also use Log Anlytics workspace to gather logs from the various sources listed below. - Azure Information Protection Logs - Azure Active Directory logs - Azure Activity Logs - Virtual Networks - SysLogs: Custom Application, Linux and Windows VMs You can **perform** LogAnalytics workspace on these services as well. - VM Metrics: Linux & Windows (CPU, Storage) - Database Metrics - Storage Metrics - Containers ### ⚠️ Events Destination: **Sentinel** The logs collected from the listed various sources will be streamed as **queries** and **alerts** to the Sentinel's power in addition to the below sources. - [Advanced Threat Protection (Defender)](https://www.microsoft.com/en-ph/dpa-trustcenter/privacy/advancedthreatprotection) - [Microsoft Cloud App Security Activity Log](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806) ### Core **Sentinel** Components #### Data Connectors Data connectors are responsible for managing the libraries and configurations required for hosts to connect to various data sources. A data connector includes the type, URI, authentication method, and all libraries required to access the data source. > [Enable a Data Connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources#enable-a-data-connector) #### Analytics (Rules) Analytics rules scan your environment for certain events or groups of events, notify you when particular event thresholds or criteria are met, create incidents for your SOC to analyze and triage, and respond to threats with automated monitoring and remediation procedures. > You can select from a variety of assault categories in the Tactics and tactics field to categorize the rule. These are based on the MITRE ATT&CK framework's strategies and tactics. > #### Playbooks ( for automation) Takes you to create a custom LogicApp. Or you can relay on the [sentinel repo](https://github.com/Azure/Azure-Sentinel) to find a template and do the a logicapp for you. #### WorkBooks Workbooks have a wide range of applications, from simple data presentation to complex graphing and resource investigation maps. #### Hunting (look for something) > Query and get insights using KQL Run the desired KQL and get results to improve your insights on the data. #### Notebooks > Query and get insights using ML Built on top of Jupiter Notebooks, a pattern to look for things, security informations. Write machine learning in various programming languages such as Python. --- ### Graph API Use-Case ![](https://i.imgur.com/VR2Mf2I.png) All logs streamed from all sources will be gathered in a single location: **QRadar** Now, why are we using **Graphql**? Giving clients only the data they ask for and nothing more is a top priority for the query language and server-side runtime for application programming interfaces (APIs) known as GraphQL. The goal of GraphQL is to make APIs quick, adaptable, and developer-friendly. All of the **streamed sentinel** data to Qradar will be queried using Graphql. > [Azure Sentinel Side-by-Side with QRadar](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-qradar/ba-p/1488333) --- ## 3- O365 Platform Events It has never been more crucial for organizations to have visibility into how their accounts and data are being accessed and used in the O365. The Office 365 Security & Compliance Center contains Office 365 audit logs. These are gathered from various Office 365 services and combined into a single, searchable log, unlike other logs which are restricted to a specific service (and they catch page and file views) ### ⚠️ Events Destination: **O365 Management API** The Office 365 Management API extracts data from Azure Active Directory and Office/Microsoft 365 activity logs about various user, admin, system, and policy actions and events. These can be found in any Microsoft/Office 365 Tenancy and are most frequently referred to as M365 Audit Logs. The data will be streamed as O365 security events with a management API destination. [Get Started with O365 Management API](https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis)