Microsoft Azure Event Hubs Integration Guide
cloud integrations microsoft azure event hubs
The following instructions are for configuring an integration of Azure Event Hubs to facilitate ingestion into Secureworks® Taegis™ XDR.
Connectivity Requirements ⫘
Important
Event Hub(s) integrated with Secureworks® Taegis™ XDR must be accessible from the Internet (all IPv4 addresses).
Configuration Prerequisites ⫘
Important
Secureworks® Taegis™ XDR supports the Standard, Premium, and Dedicated Event Hubs tiers. The Basic tier is NOT supported.
Note
The following prerequisites are required before beginning the event hub integration process:
- An active Azure subscription with at least one event hub; see Quickstart: Create an event hub using Azure portal.
- One or more data sources configured to send data to the event hub to be integrated.
- For example, Azure Monitor can be configured to stream data to an event hub; see Stream Azure monitoring data to an event hub or external partner.
Gather Required Information ⫘
The following information is required to integrate an event hub with XDR:
- Integration name — The integration name can be any value of your choice, and is made to uniquely identify the integration within XDR.
- Event hub namespace hostname — The event hub namespace hostname is a fully qualified domain name used to connect to the event hub. From the Azure Portal, it can be viewed by navigating to Event Hubs -> Select the event hub namespace to be integrated -> View the Host name value on the Overview.
View Event Hub Namespace Hostname
- Event hub name — From the event hub namespace, select Entities -> Event Hubs. A list of event hub names displays. Select the event hub name to be integrated.
- Connection string — From within the event hub, navigate to Settings -> Shared access policies. Select the Add button to create a new shared access policy for XDR. The policy name can be any value of your choosing, but should contain Listen access. Once the key is created, click on the key from the corresponding list and copy the Primary Connection String value. For example,
Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>
Add SAS Policy
Performance Considerations and Scoping ⫘
The XDR consumer will scale dynamically to use all available partitions, up to a maximum of 200 partitions. It is the responsibility of the Event Hubs owner to maintain the necessary server-side configurations to enable the required throughput performance for the data sources to be ingested.
In some cases where the server is limiting throughput, a ServerBusyException will display in the API Query Log when viewing the integration details from the Cloud APIs page. Customers can utilize this log to determine if performance setting adjustments are required. In cases where additional partitions are needed/configured, please contact support to increase the number of parallel consumers.
Consider reviewing the following documentation on performance settings of event hubs:
Note
Proactively scoping the size of an event hub is outside the scope of this document. Due to data sourcing from a variety of possible sources, determining size of any data source before being sent to an event hub would not be possible for documentation purposes. For Azure Monitor produced logs, utilizing a Azure Log Analytics to determine usage may be possible, but could incur additional costs. Please refer to Microsoft's cost and data analytics tools to assist with scoping exercises.
Enter the Required Information in XDR ⫘
In XDR, follow these steps:
- Navigate to Integrations -> Cloud APIs, and select Add API Integration.
- Select Office 365/Azure.
- In the Azure Event Hubs card, select Authorize.
- Fill in the required fields as described in Gather Required Information.
Add Azure Event Hubs Integration