Configure Microsoft Entra ID with Azure Event Hubs for Arctic Wolf monitoring

You can configure Microsoft Entra ID® with Azure Event Hubs to send the necessary logs to Arctic Wolf® for security monitoring.

Note: This is an early access (EA) integration. It is not publicly available. If you are interested in joining the EA program, reach out to your Concierge Security® Team (CST).

This integration is recommended to reduce latency if your organization generates high volumes of Microsoft Entra ID security logs.

Note:

To avoid data loss, Arctic Wolf integrations using Azure Event Hubs must have exclusive use of the default and replay consumer groups created as part of the integration.

If any other application uses the same consumer groups to consume data from the same event hub as Arctic Wolf integrations, the Arctic Wolf integrations can't collect data. For more information on Azure Event Hubs consumer groups, see Azure Event Hubs documentation.

These resources are required:

  • An Azure subscription with appropriate permissions to:

    • Create and configure Azure Event Hubs resources

    • Register applications in Microsoft Entra ID

  • Azure Standard tier license or higher

    Note:

    The Basic tier does not support the Kafka protocol for Event Hubs. For more information, see Azure Event Hubs quotas and limits.

These actions are required:

  • Notify your Concierge Security® Team (CST) that you have completed the configuration.
  • Set a reminder to renew the client secret before it expires to maintain continuous monitoring.
  • Review the Event Hubs metrics in the Azure portal to verify that events are being ingested successfully.

Create an Azure Event Hubs namespace

  1. Sign in to Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Event Hubs.
  3. Click + Create.
  4. On the Create Namespace page, on the Basics tab, configure these settings:
    • Subscription — Select your Azure subscription.
    • Resource group — Select an existing resource group or create a new one.

      To create a new resource group, see Create a resource group.

    • Namespace name — Enter a unique and descriptive name for your Event Hubs namespace. This will form part of your host name, for example namespace_name.servicebus.windows.net.
    • Region — Select your Azure region.
    • Pricing tier — Select Standard or higher.
  5. Click Review + create, and then click Create.
    Deployment is in progress.
  6. After deployment is complete, click Go to resource.
  7. Copy the Host name field value in the format namespace_name.servicebus.windows.net, and then save it in a safe, encrypted location.

    You will provide this value to Arctic Wolf later.

Create an event hub for Microsoft Entra ID

  1. Sign in to the Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Event Hubs.
  3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
  4. Click the Overview tab.
  5. Click + Event Hub.
  6. On the Create Event Hub page, on the Basics tab, configure these settings:
    • Name — Enter a unique and descriptive name for the Event Hub. For example, entra-id-events. This name must start and end with a letter or number and can only contain letters, numbers, periods, hyphens, and underscores.
    • Partition count — Enter 32 or the required number of partitions.

      For more information, see Features and terminology in Azure Event Hubs.

    • Retention time (hrs) — Enter 168.
  7. Click Review + create, and then click Create.
  8. Copy the event hub name to a safe, encrypted location to provide to Arctic Wolf later.

Create a replay consumer group

In the rare event of a system outage that prevents the successful ingestion of logs, Arctic Wolf can implement a replay function that ingests logs from a specific time window. In order to prevent conflicts with the ongoing ingestion of new logs, you must create a second consumer group that can be used for the replay functionality.

  1. Sign in to the Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Event Hubs.
  3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
  4. Click the Overview tab.
  5. Click the event hub that you created in Create an Azure Event Hubs namespace.
  6. In the navigation menu, click Entities, and then click Consumer groups.
  7. Click + Consumer group.
  8. In the Create consumer group window, enter a unique and descriptive name for the replay group. For example, entra-id-replay. The name must start and end with a letter or number and can only contain letters, numbers, periods, hyphens, and underscores.
  9. Click Create.
  10. Copy the consumer group name to a safe, encrypted location to provide to Arctic Wolf later.

Register the application

  1. Sign in to the Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Microsoft Entra ID.
  3. In the navigation menu, click Manage > App registrations.
  4. Click + New registration.
  5. Configure these settings:
    • Name — Enter a name for the application.
    • Supported account types — From the list, select Accounts in this organizational directory only.
    • For all other fields, keep the default values.
  6. Click Register.
    The page for the newly registered application opens.
  7. Copy the Application (client) ID and Directory (tenant) ID values, and then save them in a safe, encrypted location.
    You will provide them to Arctic Wolf later.
  8. In the navigation menu, in the Manage section, click Certificates & secrets.
  9. In the Client secrets section, click + New client secret, and then configure these settings:
    • Description — Enter a description for the client secret.
    • Expires — Select an expiration date for the client secret.
  10. Click Add.
  11. On the Client secrets tab, verify that your new client secret appears.
  12. Copy the Value value to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
    Note:
    • The Value value is only available immediately after creation. Do not exit the Certificates & Secrets page until the value is saved in a safe, encrypted location.
    • The Value value is the Client Secret Value that you must provide to Arctic Wolf later. It is not necessary to copy the Secret ID field.
    • You must provide the updated client secret credentials to Arctic Wolf before the credentials expire.

Assign Event Hubs permissions to the application

  1. Sign in to the Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Event Hubs.
  3. Click the Event Hubs namespace that you created in Create an Azure Event Hubs namespace.
  4. Click the Overview tab.
  5. Click the event hub that you created in Create an event hub for Microsoft Entra ID.
  6. In the navigation menu, click Access control (IAM).
  7. Click + Add, and then click Add role assignment.
  8. On the Role tab, select Azure Event Hubs Data Receiver.
  9. Click Next.
  10. On the Members tab, configure these settings:
    • Assign access to — Select User, group, or service principal.
    • Members — Click + Select members, search for and select the application that you created in Register the application, and then click Select.
  11. Click Review + assign, and then review the settings.
  12. Click Review + assign.

Configure streaming in Microsoft Entra ID

  1. Sign in to the Microsoft Azure portal with administrator permissions.
  2. In the search field, search for and click Microsoft Entra ID.
  3. In the navigation menu, click Monitoring > Diagnostic Settings.
  4. Click + Add diagnostic setting.
  5. In the Diagnostic setting name field, enter a descriptive name. For example, Arctic Wolf Entra ID Stream.
  6. In the Logs section, select these Category options:
    • AuditLogs
    • SignInLogs
    • NonInteractiveUserSignInLogs
    • ServicePrincipalSignInLogs
    • ManagedIdentitySignInLogs
    • RiskyUsers
    • UserRiskEvents
    • RiskyServicePrincipals
    • ServicePrincipalRiskEvents
    • MicrosoftGraphActivityLogs
    • NetworkAccessAlerts
    • NetworkAccessConnectionEvents
    • AzureADGraphActivityLogs
    • NetworkAccessGenerativeAIInsights
    • GraphNotificationsActivityLogs
    • RiskyAgents
    • AgentRiskEvents
  7. In the Destination Details section, configure these settings:
    1. Select the Stream to an event hub checkbox.
    2. In the Subscription list, select the subscription that you selected in Create an Azure Event Hubs namespace.
    3. In the Event Hub namespace list, select the namespace name from Create an Azure Event Hubs namespace, without the .servicebus.windows.net suffix.
    4. In the Event Hub name list, select the event hub that you created in Create an event hub for Microsoft Entra ID.
    5. In the Event Hub policy name list, select RootManageSharedAccessKey.

Provide Microsoft Entra ID credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Microsoft Entra ID (Event Hubs).
  5. Configure these settings:
  6. Click Test and submit credentials.