Azure Event Hub Namespace Key
Service Name: Azure Event Hubs
Service Description: Azure Event Hubs is a big data streaming platform and event ingestion service capable of receiving and processing millions of events per second. Event Hubs can process and store events, data, or telemetry produced by distributed software and devices.
Service Address: https://azure.microsoft.com/en-us/services/event-hubs/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the namespace level using Virtual Network Service Endpoints and IP filtering rules.
Secret Access Scope: Grants access to send and/or receive events from Azure Event Hubs namespaces. The scope depends on the policy associated with the key (e.g., Send, Listen, Manage).
Secret Revokement URL: https://portal.azure.com/ (Navigate to Event Hubs namespace > Shared access policies > Select the policy > Regenerate keys)
Secret Example: Endpoint=sb://myeventhub.servicebus.windows.net/;SharedAccessKeyName=RootM anageSharedAccessKey;SharedAccessKey=AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AB CDEFGH=
Suspicious Activity Investigation Instructions:
- Review Azure Activity logs for unusual operations on the Event Hubs namespace
- Check Event Hubs metrics for unexpected spikes in ingress/egress events
-
Monitor for unauthorized IP addresses accessing the namespace if IP filtering is enabled
-
Review Azure Monitor logs for authentication failures or unusual access
patterns
- Check for unexpected applications or services consuming events from your
Event Hubs
Mitigation Instructions:
- Immediately regenerate the shared access key from the Azure Portal
- Navigate to your Event Hubs namespace in the Azure Portal
- Select "Shared access policies" from the left menu
- Select the affected policy
- Click "Regenerate keys" for either the primary or secondary key that was compromised
- Update all legitimate applications with the new connection string
- Implement network security using Virtual Network Service Endpoints to restrict access
- Consider implementing Azure Private Link for enhanced security
- Review and limit the permissions assigned to the shared access policy (Send, Listen, or Manage)
- Enable diagnostic logs for better monitoring and auditing