Quick Start Security for Azure EventHubs
Thank you!
We got your information.
Coralogix Extension For Azure EventHubs Includes:
Alerts - 5
Stay on top of Azure EventHubs key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Unusual Spike in Incoming Traffic to Azure Eventhub.
This alert triggers when there is a sudden and significant increase in incoming traffic to Azure Event Hubs beyond the normal baseline. Impact An unusual spike in incoming traffic may indicate a distributed denial-of-service (DDoS) attack, data injection attempts, or malicious activity. Mitigation Monitor incoming traffic patterns regularly. Implement rate limiting, throttling, or Azure DDoS Protection to mitigate the impact of DDoS attacks. Use Azure Firewall or network security groups (NSGs) to restrict access to Event Hubs from unauthorized sources. Mitre tactic:TA0040 Mitre technique:T1078
Stream Encryption Stopped
This alert detects the stopping of encryption for a stream within Azure Eventhub. Impact This alert signifies the termination of encryption for an Azure Eventhub stream, potentially resulting in data exposure, unauthorized access, and compromised data security measures. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1485
Excessive Stream Deletion Detected
This alert triggers when a single user attempts more than 10 stream deletions within a 5-minute interval. Impact This alert indicates an excessive stream deletions, which could suggest potential unauthorized activities, misconfigurations, or security risks within the Azure Eventhubs environment. Mitigation Investigate the reason for the high volume of stream deletion, ensure proper access controls and permissions are in place, and promptly address any unauthorized activities or misconfigurations. MITRE Tactic: TA0040 MITRE Technique: T1485
Record Access Detected From a New User
This alert indicates the retrieval of a record by a new user that hasn't been observed within the last month. Impact This alert indicates the retrieval of initial records from an Azure eventhub stream by a new user. While this activity can be a normal part of stream usage, it could also be malicious if the user is attempting to gain unauthorized access to sensitive data or if it's part of a reconnaissance phase before launching more advanced attacks. Mitigation Review the user's access privileges, confirm if the retrieval was intentional or unauthorized, and take necessary action to enforce least privilege access if needed. MITRE Tactic: TA0003 MITRE Technique: T1081
Excessive Stream Creation Detected
This alert triggers when a single user attempts more than 10 stream creations within a 5-minute interval. Impact This alert indicates an excessive stream creations, which may suggest misconfigurations, operational issues, or potential security risks within the Azure Systems Manager environment. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0007 MITRE Technique: T1082
Integration
Learn more about Coralogix's out-of-the-box integration with Azure EventHubs in our documentation.