Detect and Respond to Azure Threats With Blumira: Easy Cloud SIEM Setup

Azure is Microsoft's cloud computing platform, used by 56% of organizations worldwide as one of the three main global cloud providers (others include Amazon Web Services and Google Cloud Platform). 

Now you can quickly and easily set up your Azure Event Hub Cloud Connector to start sending logs to Blumira’s platform for detection and response. Previously, we offered this integration via sensor, but now it’s available via Cloud Connector.

Blumira automatically deploys detection rules, monitoring your Azure logs for anomalies around the clock and notifying you in near real-time – under a minute of initial detection. These rules are developed and managed by our incident detection engineering team to lift the burden from your small IT team and reduce the time spent managing security down to less than 15 minutes a day.

Learn more about some of our key detection rules, sent to your team as a context-rich finding with a workflow that guides you through how to respond:

• Azure Identity Protection Risky Sign-in – This rule relies on Azure sign-in logs from Azure AD and will alert you when Azure deems a sign-in as risky.
• Azure: Failed SSH Brute Force Attack Security Alert – ​​Blumira alerts you when Azure AD has detected a failed SSH brute-force attack against your Azure environment, providing additional information on the targeted machine in the attack. Blumira gives you recommendations on how to find and block source IPs on your firewall.

• Azure AD Conditional Access Policy Added/Modified/Deleted – Blumira detects if your Conditional Access (CA) policies have been created, modified, or deleted. This can alert you to potential malicious behavior or to new policies so you can review if they are legitimate or malicious in nature.

• Disabling of Multi-Factor Authentication on Azure AD User – This rule will alert you whenever a user has had their multi-factor authentication (MFA) disabled. This detection will allow you to detect and respond quickly if an attacker attempts to disable MFA for one or multiple users to bypass authentication.
• Successful Single Factor PowerShell Authentication – Blumira helps you find potentially malicious PowerShell access to your Azure environment. Azure PowerShell allows you to create subscriptions, edit virtual machines, access data within storage accounts, and much more. Visibility in this tool is invaluable for protecting your cloud environment.
• Azure AD Anomalous Agent Sign-in Activity – Blumira helps you find and detect odd or unusual sign-ins, capturing the IP address and device information to expedite time to detection and investigation. This rule relies on Azure AD’s classification of what is considered anomalous based on prior sign-in activity.

Source: Updated version of the list from A Guide To Microsoft Azure Security Logging by Justin Kikani

See an example of one of Blumira’s Azure findings of an unauthorized access attempt flagged by Blumira’s platform as a potential threat below:

The finding provides an analysis of the threat detected, along with context about what kind of attack it might be, and a workflow that guides a responder through how to respond. If your team needs more support or has a question, they can click ‘Add note’ to message the Blumira support team directly – 24/7 Security Operations team is on standby to assist you.

How to Integrate with Microsoft Azure Event Hubs

Easily integrate your Microsoft Azure Event Hubs with Blumira via Cloud Connectors to stream Azure cloud security event logs and alerts to Blumira's SIEM and XDR platform.

The Azure Event Hubs integration can also be used to collect logs from Microsoft Intune and Microsoft 365 Defender.

1. Configure Azure to obtain credentials
2. Provide your Event Hubs credentials to Blumira
3. Connect log sources to your event hub to start sending logs to Blumira (Azure Monitor, Azure Entra (AD), Intune, Microsoft 365 Defender)

See the complete step-by-step support article with screenshots here: Integrating With Microsoft Azure Event Hubs

Azure Detection Rules

See all automatically-enabled detection rules after you’ve set up your Azure integration by navigating to Settings > Detection Rules. Here you can toggle rules on or off as needed, and see the analyses summaries, categories, priority and more.

When viewing a finding’s detail (Reporting > Findings > click on an individual finding), scroll down to Detection Filters where you can further customize when you receive an alert in order to help reduce the noise of unnecessary notifications, so you can focus on what’s important to respond to right away. Easily exclude specific users or IPs from findings based on known safe activity at your organization.

See more information about all of our integrations. Get started by:

Signing up for a Free SIEM account – Get three free cloud integrations, detection rules, response playbooks and more for free, forever.

“We had been talking about QRadar; we had a demo of QRadar. Then we set up the free version of Blumira, and within the first 14 hours, had a detection that we probably would never have caught otherwise.” – Keith Knisely, Assistant VP/IT Specialist, SouthTrust Bank

Then activate your 30-day free XDR trial to try out additional features like Blumira Agent to gain visibility into endpoints and the ability to automatically respond to threats.