Azure Event Hub
Authorization Rule Key
Service Name: Azure Event Hubs
Service Description: Azure Event Hubs is a big data streaming platform and event ingestion service capable of receiving and processing millions of events per second. It can process and store events, data, or telemetry produced by distributed software and devices.
Service Address: https://azure.microsoft.com/en-us/services/event-hubs/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the namespace level using Virtual Network Service Endpoints and IP firewall rules.
Secret Access Scope: Grants access to send and/or receive events from Azure Event Hubs based on the assigned rights (Send, Listen, or Manage).
Secret Revokement URL: https://portal.azure.com/ (Navigate to Event Hubs namespace > Event Hub > Shared access policies)
Secret Example: Endpoint=sb://myeventhub.servicebus.windows.net/;SharedAccessKeyName=RootM anageSharedAccessKey;SharedAccessKey=AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AB CDEFGH=
Suspicious Activity Investigation Instructions:
- Review Azure Activity logs for unusual operations on the Event Hub namespace
- Check Event Hub metrics for unexpected spikes in ingress/egress events
- Monitor for unauthorized IP addresses accessing the Event Hub if IP filtering is enabled
-
Examine Azure Monitor logs for failed authentication attempts
-
Review the Event Hub's diagnostic logs for unusual patterns of access
Mitigation Instructions:
- Navigate to the Azure Portal and locate the affected Event Hub namespace
- Select the specific Event Hub and go to "Shared access policies"
- Delete the compromised authorization rule or regenerate its keys
- To regenerate keys: select the policy, click "Regenerate Primary Key" or "Regenerate Secondary Key"
- Update all legitimate applications with the new connection string
- Consider implementing more restrictive access policies using Azure RBAC instead of SAS keys
- Enable Virtual Network Service Endpoints to restrict access to specific virtual networks
- Configure IP firewall rules to limit access to trusted IP addresses
- Implement Azure Private Link for enhanced security if needed