☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Getting Started
Integrate with XDR
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
- Power BI for XDR
Secureworks Products, Services, and Policies
- Taegis NDR
  - Overview
  - Service Description
  - Transitioning from CTP
  - Legacy iSensor Service Descriptions
    - Managed iSensor
    - Managed iSensor Add-on
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- Secureworks Professional Services
- Legal

Microsoft Azure Event Hubs Integration Guide

cloud integrations microsoft azure event hubs

The following instructions are for configuring an integration of Azure Event Hubs to facilitate ingestion into Secureworks® Taegis™ XDR.

Important

Secureworks® Taegis™ XDR supports the Standard, Premium, and Dedicated Event Hubs tiers. The Basic tier is NOT supported.

Note

The following pre-requisites are required before beginning the event hub integration process:

An active Azure subscription with at least one event hub; see Quickstart: Create an event hub using Azure portal.
One or more data sources configured to send data to the event hub to be integrated.
- For example, Azure Monitor can be configured to stream data to an event hub; see Stream Azure monitoring data to an event hub or external partner.

Gather Required Information ⫘

The following information is required to integrate an event hub with XDR:

Integration name — The integration name can be any value of your choice, and is made to uniquely identify the integration within XDR.
Event hub namespace hostname — The event hub namespace hostname is a fully qualified domain name used to connect to the event hub. From the Azure Portal, it can be viewed by navigating to Event Hubs -> Select the event hub namespace to be integrated -> View the Host name value on the Overview.

View Event Hub Namespace Hostname

Event hub name — From the event hub namespace, select Entities -> Event Hubs. A list of event hub names displays. Select the event hub name to be integrated.
Connection string — From within the event hub, navigate to Settings -> Shared access policies. Select the Add button to create a new shared access policy for XDR. The policy name can be any value of your choosing, but should contain Listen access. Once the key is created, click on the key from the corresponding list and copy the Primary Connection String value.

Add SAS Policy

Performance Considerations ⫘

XDR will utilize one consumer per event hub/integration by default, with an expectation that this will deliver approximately one megabyte per second throughput. It is the responsibility of the event hubs owner to maintain the necessary server-side configurations to enable the required throughput performance for the data sources to be ingested.

In some cases where the server is limiting throughput, a ServerBusyException will display in the API Query Log when viewing the integration details from the Cloud APIs page. Customers can utilize this log to determine if performance setting adjustments are required. In cases where additional partitions are needed/configured, please contact support to increase the number of parallel consumers.

Consider reviewing the following documentation on performance settings of event hubs:

Enter the Required Information in XDR ⫘

In XDR, follow these steps:

Navigate to Integrations -> Cloud APIs, and select Add API Integration.
Select Office 365/Azure.
In the Azure Event Hubs card, select Authorize.
Fill in the required fields as described in Gather Required Information.

Add Azure Event Hubs Integration

Data Types Supported by Event Hubs Integrations ⫘

XDR will ingest any text-based data from an Azure event hub and normalize that data to the Generic schema. In addition to being ingested and normalized to the Generic schema, the following data sources support more in-depth normalization and detections:

Azure Firewall ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure Firewall					D			D		D

Azure WAF on Azure Application Gateway ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure WAF on Application Gateway								D

Azure WAF on Azure Front Door ⫘

	Antivirus	Auth	CloudAudit	DHCP	DNS	Email	Encrypt	HTTP	Management	Netflow	NIDS	Thirdparty
MS Azure WAF on Front Door								D

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Other Data Sources ⫘

Depending on the data format source, a custom parser may be needed to enable normalization of other data sources beyond the Generic schema.

Microsoft Azure Event Hubs Integration Guide

Gather Required Information ⫘

Performance Considerations ⫘

Enter the Required Information in XDR ⫘

Data Types Supported by Event Hubs Integrations ⫘

Azure Firewall ⫘

Azure WAF on Azure Application Gateway ⫘

Azure WAF on Azure Front Door ⫘

Other Data Sources ⫘

On this page: