The agent must be run on a server / component that allows HTTPS connections and node.js.

The agent will pull a selected Azure Event Hub for events coming from Azure AD (logins and audits), and it will also pull administrative and security events coming from Azure Monitor.


In Azure AD, go to "Diagnostic Settings", select "Add diagnostic setting" and select your Event Hub. Choose which events you want to be sent. 



In Azure Monitor, go to "Activity log", select "Diagnostic settings" and choose which events you want to be sent.



 

Prerequisites

  • The agent uses ports 80 / 443 (HTTP / HTTPS)
  • Install Node.js (https://nodejs.org/en/download/package-manager/)
  • Install package for Event Hubs from Microsoft from command prompt
    • "npm install @azure/event-hubs"
    • "npm install @azure/storage-blob"
    • "npm install @azure/eventhubs-checkpointstore-blob"
  • Install package for Unirest HTTP libraries
    • "npm install unirest"


Install Agent

  1. Download the agent from our agent download page
  2. If you have not already created an AIMS environment, please see this article before proceeding

Configure the Agent


  1. AIMS connection config
    1. Go to the directory where you have the agent files and open the config file "aims_config.json"
    2. Find your AIMS connection and environment information. This can be found by logging into AIMS, select the "gear" icon top right and select "Agents". Copy the GUID from "Environment API address"
    3.  In the "aims_config.json" find the section "aimsConnection/environmentId". Replace the example GUID with the GUID found in your API address
    4. To aquire your auth token, use basic auth and do a GET to https://api.aimsinnovation.com/api/system by using a HTTP client or similar. Copy the token from the "Autorization: Basic" section to "aimsConnection/authToken" in "aims_config.json"
  2. Azure connection config
    1. You will need a storage account, a blob container in that storage account and an Event Hub
    2. Get the connection string to the Event Hub, and copy it into "aims_config.json" under "Azure/connectionString"
    3. Copy the Event Hub name to "aims_config.json" under "Azure/eventHubName"
    4. Copy the consumer group (default is "$Default") to "aims_config.json" under "Azure/consumerGroup"
    5. Get the connection string to the storage account, and copy it into "aims_config.json" under "Azure/storageConnectionString"
    6. Get the container name and copy to "aims_config.json" under "Azure/containerName"
  3. Register the agent in AIMS
    1. Once the "aims_config.json" is complete, run "node register_agent.js" to connect the agent to AIMS.
    2. The registration returns a system ID (xsystem) that you will insert to the "aims_config.json" under "aimsConnection/xSystem". This is needed to run the agent.


Final Setup and Start Agent


Based on your selected way of running the agent (Linux, Windows etc and VM / cloud) there are different ways of starting and running the agent. Below are a couple of examples:


  • Run the script from cli by typing "node eventhub.js". This will run the agent until it is stopped manually or by a server restart / shutdown
  • Windows - If your want to run it from a Windows Server, we recommend that you run the agent as a service. For more information see this example on GitHub
  • Linux - use systemd explained on Stack Overflow