Microsoft Azure Event Hubs Integration Guide
cloud integrations microsoft azure event hubs
The following instructions are for configuring an integration of Azure Event Hubs to facilitate ingestion into Secureworks® Taegis™ XDR.
Important
Secureworks® Taegis™ XDR supports the Standard, Premium, and Dedicated Event Hubs tiers. The Basic tier is NOT supported.
Note
The following pre-requisites are required before beginning the event hub integration process:
- An active Azure subscription with at least one event hub; see Quickstart: Create an event hub using Azure portal.
- One or more data sources configured to send data to the event hub to be integrated.
- For example, Azure Monitor can be configured to stream data to an event hub; see Stream Azure monitoring data to an event hub or external partner.
Gather Required Information ⫘
The following information is required to integrate an event hub with XDR:
- Integration name — The integration name can be any value of your choice, and is made to uniquely identify the integration within XDR.
- Event hub namespace hostname — The event hub namespace hostname is a fully qualified domain name used to connect to the event hub. From the Azure Portal, it can be viewed by navigating to Event Hubs -> Select the event hub namespace to be integrated -> View the Host name value on the Overview.
View Event Hub Namespace Hostname
- Event hub name — From the event hub namespace, select Entities -> Event Hubs. A list of event hub names displays. Select the event hub name to be integrated.
- Connection string — From within the event hub, navigate to Settings -> Shared access policies. Select the Add button to create a new shared access policy for XDR. The policy name can be any value of your choosing, but should contain Listen access. Once the key is created, click on the key from the corresponding list and copy the Primary Connection String value.
Add SAS Policy
Performance Considerations ⫘
XDR will utilize one consumer per event hub/integration by default, with an expectation that this will deliver approximately one megabyte per second throughput. It is the responsibility of the event hubs owner to maintain the necessary server-side configurations to enable the required throughput performance for the data sources to be ingested.
In some cases where the server is limiting throughput, a ServerBusyException will display in the API Query Log when viewing the integration details from the Cloud APIs page. Customers can utilize this log to determine if performance setting adjustments are required. In cases where additional partitions are needed/configured, please contact support to increase the number of parallel consumers.
Consider reviewing the following documentation on performance settings of event hubs:
Enter the Required Information in XDR ⫘
In XDR, follow these steps:
- Navigate to Integrations -> Cloud APIs, and select Add API Integration.
- Select Office 365/Azure.
- In the Azure Event Hubs card, select Authorize.
- Fill in the required fields as described in Gather Required Information.
Add Azure Event Hubs Integration
Data Types Supported by Event Hubs Integrations ⫘
XDR will ingest any text-based data from an Azure event hub and normalize that data to the Generic
schema. In addition to being ingested and normalized to the Generic
schema, the following data sources support more in-depth normalization and detections:
Azure Firewall ⫘
Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|
MS Azure Firewall | D | D | D |
Azure WAF on Azure Application Gateway ⫘
Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|
MS Azure WAF on Application Gateway | D |
Azure WAF on Azure Front Door ⫘
Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|
MS Azure WAF on Front Door | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Other Data Sources ⫘
Depending on the data format source, a custom parser may be needed to enable normalization of other data sources beyond the Generic
schema.