Ingest Logs from Microsoft Azure Event Hub

Ingest logs from Microsoft Azure Event Hub with an option to ingest audit logs to use in Cortex XDR authentication stories.
Ingesting Logs from Azure Event Hub requires a Cortex XDR Pro per TB license.
To receive logs from Azure Event Hub, you must configure the Collection Integrations settings in Cortex XDR based on your Microsoft Azure Event Hub configuration. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (
MSFT_Azure_raw
) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to normalize Azure Event Hub audit logs with other Cortex XDR authentication stories across all cloud providers using the same format, which you can query with XQL Search using the
cloud_audit_logs
or
xdr_data
datasets. For logs that you do not configure Cortex XDR to normalize, you can change the default dataset. Cortex XDR can also raise Cortex XDR alerts (IOC, BIOC, and Correlation Rule only) when relevant from Azure Event Hub logs.
Cortex XDR can also ingest Azure sign-in logs when you configure an Azure Event Hub data collector to collect audit logs. This is also dependent on setting the applicable Diagnostic settings in Azure Active Directory with the selected sign-in log categories. These logs are added in Cortex XDR to the
MSFT_Azure_raw
dataset. In addition, Cortex XDR can normalize and enrich these authentication logs. Cortex XDR can normalize these Active Directory sign-in logs with other Cortex XDR authentication stories across all cloud providers using the same format. You can query these logs in XQL Search using the
cloud_audit_logs
and
xdr_data
datasets.
Be sure you do the following tasks before you begin configuring data collection from Azure Event Hub.
Configure the Azure Event Hub collection in Cortex XDR.
  1. In the Microsoft Azure Console, open the
    Event Hubs
    page, and select the Azure Event Hub that you created for collection in Cortex XDR.
  2. Record the following parameters from your configured event hub, which you will need when configuring data collection in Cortex XDR.
    • Your event hub’s consumer group.
      1. Select
        Entities
        Event Hubs
        , and select your event hub.
      2. Select
        Entities
        Consumer groups
        , and select your event hub.
      3. In the Consumer group table, copy the applicable value listed in the
        Name
        column for your Cortex XDR data collection configuration.
    • Your event hub’s connection string for the designated policy.
      1. Select
        Settings
        Shared access policies
        .
      2. In the Shared access policies table, select the applicable policy.
      3. Copy the
        Connection string-primary key
        .
    • Storage account for the connection string.
      1. Open the
        Storage accounts
        page, and select the storage account that contains the connection string for the event hub you have configured for data collection by Cortex XDR.
      2. Select
        Security + networking
        Access keys
        , and click
        Show keys
        .
      3. Copy the applicable
        Connection string
        .
  3. (
    Optional
    ) Configure your Microsoft Azure Event Hub to collect Azure sign-in logs.
    1. In the Microsoft Azure Console, search for
      Azure Active Directory
      , and select
      Services
      Azure Active Directory
      .
    2. Select
      Monitoring
      Diagnostic settings
      , and
      +Add diagnostic setting
      .
    3. Set the following parameters.
      • Diagnostic setting name
        —Specify a name for your Diagnostic setting.
      • Logs Categories
        —Select from the list of applicable sign-in
        Logs Categories
        , the ones that you want to configure your designated resource to collect. You can select any of the following categories to configure sign-in logs collection.
        • SignInLogs
        • NonInteractiveUserSignInLogs
        • ServicePrincipalSignInLogs
        • ManagedIdentitySignInLogs
        • ADFSSignInLogs
      • Destination details
        —Select
        Stream to event hub
        , where additional parameters are displayed that you need configure. Ensure that you set the following parameters using the same settings for the Azure Event Hub that you created for collection in XDR.
        • Subscription
          —Select the applicable
          Subscription
          for the Azure Event Hub.
        • Event hub namespace
          —Select the applicable
          Subscription
          for the Azure Event Hub.
        • (
          Optional
          )
          Event hub name
          —Specify the name of your Azure Event Hub.
        • Event hub policy
          —Select the applicable
          Event hub policy
          for your Azure Event Hub.
    4. Save
      your settings.
  4. Configure the Azure Event Hub collection in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Azure Event Hub
      configuration, click the
      here
      link to begin a new configuration.
    3. Set these parameters.
      • Name
        —Specify a descriptive name for your log collection configuration.
      • Storage Account Connection String
        —Specify your event hub’s storage account for the connection string.
      • Consumer Group
        —Specify your event hub’s consumer group.
      • Log Format
        —Select the log format for the logs collected from the Azure Event Hub as either
        JSON
        or
        raw
        .
        When you
        Normalize and enrich audit logs
        , the log format is automatically configured. As a result, this option is removed and no longer available to configure.
      • Vendor
        and
        Product
        —Specify the
        Vendor
        and
        Product
        for the type of logs you are ingesting.
        The
        Vendor
        and
        Product
        are used to define the name of your XQL dataset (
        <vendor>_<product>_raw
        ). If you do not define a
        Vendor
        or
        Product
        , Cortex XDR uses the default values of
        MSFT
        and
        Azure
        with the resulting dataset name as
        MSFT_Azure_raw
        . To uniquely identify the log source, consider changing the values.
        When you
        Normalize and enrich audit logs
        , the
        Vendor
        and
        Product
        fields are automatically configured. Therefore, these fields are removed as available options.
      • Normalize and enrich audit logs
        —(
        Optional
        ) You can
        Normalize and enrich audit logs
        by selecting the checkbox. If selected, Cortex XDR normalizes and enriches Azure Event Hub audit logs, including any Azure sign-in logs configured for collection, with other Cortex XDR authentication stories across all cloud providers using the same format, which you can query with XQL Search using the
        cloud_audit_logs
        and
        xdr_data
        datasets.
    4. Click
      Test
      to validate access, and then click
      Enable
      .
      Once events start to come in, a green check mark appears underneath the
      Azure Event Hub
      configuration with the amount of data received.

Recommended For You