 Role Availability
|
 Read-Only
|
Investigator |
Analyst
|
 Manager
|
Microsoft Azure Event Hubs is a data and event processing service for Microsoft Azure. The integration between USM Anywhere and Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment.
Warning: To process and display the custom events received from the Azure Event Hubs as generic events, USM Anywhere needs these custom events in a specific format. The correct format is an array as a value of a "records" key in JSON format. For example { "records": [ {<event-content>} ] }.
Important: Be sure to review the Azure requirements page for any environmental requirements specific to Azure Event Hubs before implementing the streaming of your logs to Azure Event Hubs.
The Azure Sensor can process different types of logs sent through Azure Event Hubs, including but not limited to the following:
- Azure Active Directory (AD) logs, including audit logs and sign-in logs
- Azure Application Gateway logs
- Azure Monitor logs
- Azure SQL Database logs
- Microsoft Defender Advanced Threat Protection (ATP) logs
- Microsoft Intune logs
Important: The Azure Sensor will need to be connected to ports 5671 and 5672 in order to integrate with Azure Event Hubs.
Stream Logs to Azure Event Hubs
Before configuring the Azure Event Hubs integration in USM Anywhere, you must stream the logs you want to be analyzed to Azure Event Hubs. Make sure to stream your logs to the same event hub, because each Azure Sensor can only collect from a single event hub.
To stream logs to Azure Event Hubs
- Log in to the Azure portal.
- Create an event hub. See Microsoft Azure Quickstart: Create an event hub using Azure portal for instructions.
- Go to the event hub you just created and click Shared Access Policies in the sidebar.
- Create or edit a policy, and then select Manage, Send, and Listen. Streaming to Event Hubs requires these permissions.
-
Copy the connection string listed in the policy under Connection String–Primary Key.
Note: You will need to enter this string when configuring the Event Hubs connection in USM Anywhere.
-
Configure streaming for the logs you want to collect. For example:
Note: Make sure to enable Stream to an event hub and select the Event Hub you just created as the destination.
- Azure AD logs: See Stream Azure Active Directory Logs to an Azure Event Hub for instructions from Microsoft.
- Azure Application Gateway logs: See Enable Logging for Application Gateway for instructions from Microsoft.
- Azure Monitor logs: See Create Diagnostic Settings to Send Logs for instructions from Microsoft.
- Azure SQL Database logs: See Set up auditing for your database for instructions from Microsoft. Make sure to select Event Hub as the destination.
- Microsoft Defender ATP logs: See Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs for instructions from Microsoft.
- Microsoft Intune logs: See Send log data to storage, event hubs, or log analytics in Intune for instructions from Microsoft.
Set Up Azure Event Hubs Connection in USM Anywhere
After completing the initial setup of your Azure Event Hubs, return to your USM Anywhere Sensors page to enable the Azure Event Hubs connection in USM Anywhere.
To enable Azure Event Hubs in USM Anywhere
- Go to Data Sources > Sensors, and then open the Azure Sensor.
-
Click the Configuration tab.
-
Complete the three fields:
- Event Hub Name: The name of the event hub created during initial setup.
- Event Hub Connection String: A string containing unique configuration data about your Azure Event Hubs implementation. This is the connection string that was copied under Connection String–Primary Key in the Stream Logs to Azure Event Hubs procedure.
- Event Hub Consumer Group: The name of your Event Hubs consumer group. You can locate this name by opening your Event Hubs overview in the Azure portal and scrolling to the bottom of the page.
- Event Hub Name: The name of the event hub created during initial setup.
- (Optional.) Select Process Generic Events to collect events for which USM Anywhere currently does not have a parser. These events will display as "GENERIC event" under
- Click Save.
- Click the Event Hub tab to check the connection status and the number of events processed by each data source.
Viewing Azure Event Hubs Connectivity in USM Anywhere
The Event Hub tab on the Azure Sensor page provides a glimpse into the health of your sensor's connection to Azure Event Hubs. This page contains the name of your event hub, its connectivity status, and the number of events being processed by USM Anywhere.
To view your Azure Event Hubs connection
- Go to the Sensors page, and then open your Azure Sensor.
- Click the Event Hub tab.
These are the connectivity statuses you may see:
- Connecting: Azure Event Hubs is currently connecting to the sensor.
- Processing: Azure Event Hubs is successfully connected.
- Shutting Down: Azure Event Hubs has begun the shutdown process to allow a different event hub to connect to the sensor.
- Shutdown: The sensor is not currently connected to an event hub.
- Error: The connection has experienced an error.
Feedback