AlienVault® USM Anywhere™

Azure Event Hubs in USM Anywhere

Microsoft Azure Event Hubs is a data and event processing service for Microsoft Azure. You can configure your Azure Sensor to receive and process information from Event Hubs and in your USM Anywhere environment.

Azure Event Hubs Setup and Configuration

To begin setup and configuration, you first need to create an event hub in the Azure portal online. Follow the process in the Microsoft Azure documentation to create your resource group, namespace, and event hub.

After you complete the initial setup, create a new policy to allow your event hub to communicate with USM Anywhere.

To configure Azure Event Hubs for USM Anywhere

  1. In the Azure portal, click Shared Access Policies in the sidebar.
  2. Create a policy, and click the Listen Permission checkbox.
  3. Copy the connection string listed in the policy.
    This will be used later to connect the event hub in USM Anywhere.
  4. Click Save.

After you've completed the event hub setup, follow the steps in the Set up auditing for your database section of the Microsoft Event Hubs documentation to configure SQL event auditing.

Azure Event Hubs Connection in USM Anywhere

To enable Azure Event Hubs in USM Anywhere

  1. Go to the Sensors page and open the Azure Sensor.
  2. Click the Configurations tab.
  3. Complete the three fields

    • Event Hub Name
    • Event Hub Connection String
    • Event Hub Consumer Group
  4. (Optional.) Select the Process generic events? checkbox to collect generic events that do not match the types of events Azure Event Hubs supports.
    If this checkbox is not selected, events not matching these event types will be discarded by the app.
  5. Azure Event Hubz supports Azure SQL Database logs, Azure Active Directory (AD) audit logs, Azure AD sign-in logs, and Azure AD monitoring logs.
  6. Click Save.

Viewing Azure Event Hubs Data in USM Anywhere

The Event Hub tab provides a glimpse into the health of your sensor's connection to Azure Event Hubs. This page contains the name of your Event Hub, its connectivity status, and the number of events that are being processed by Azure Event Hubs.

The connectivity statuses you may see are:

  • Connecting: Azure Event Hubs is currently connecting to the sensor.
  • Processing: Event Hubs is successfully connected.
  • Shutting Down: Event Hubs has begun the shutdown process to allow a different Event Hubs to connect to the sensor.
  • Shutdown: The sensor is not currently connected to an Event Hubs.
  • Error: The connection has experienced an error.

To view your Azure Event Hubs data

  1. Go to the sensor page and open your Event Hubs sensor.
  2. Click on the Event Hub tab.