Ingest Logs from Microsoft Azure Event Hub
Ingest logs from Microsoft Azure Event Hub with an option to ingest audit logs to use in Cortex XDR authentication stories.
Ingesting Logs from Azure Event Hub requires a Cortex XDR Pro per TB license.
To receive logs from Azure Event Hub, you must configure the Collection Integrations settings in Cortex XDR based on your Microsoft Azure Event Hub configuration. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (
MSFT_Azure_raw) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to normalize Azure Event Hub audit logs with other Cortex XDR authentication stories across all cloud providers using the same format, which you can query with XQL Search using the
xdr_datadatasets. For logs that you do not configure Cortex XDR to normalize, you can change the default dataset. Cortex XDR can also raise Cortex XDR alerts (IOC, BIOC, and Correlation Rule only) when relevant from Azure Event Hub logs.
Cortex XDR can also ingest Azure sign-in logs when you configure an Azure Event Hub data collector to collect audit logs. This is also dependent on setting the applicable Diagnostic settings in Azure Active Directory with the selected sign-in log categories. These logs are added in Cortex XDR to the
MSFT_Azure_rawdataset. In addition, Cortex XDR can normalize and enrich these authentication logs. Cortex XDR can normalize these Active Directory sign-in logs with other Cortex XDR authentication stories across all cloud providers using the same format. You can query these logs in XQL Search using the
Be sure you do the following tasks before you begin configuring data collection from Azure Event Hub.
- Ensure the format for the logs you want collected from the Azure Event Hub is either JSON or raw.
Configure the Azure Event Hub collection in Cortex XDR.
- In the Microsoft Azure Console, open theEvent Hubspage, and select the Azure Event Hub that you created for collection in Cortex XDR.
- Record the following parameters from your configured event hub, which you will need when configuring data collection in Cortex XDR.
- Your event hub’s consumer group.
- Select, and select your event hub.EntitiesEvent Hubs
- Select, and select your event hub.EntitiesConsumer groups
- In the Consumer group table, copy the applicable value listed in theNamecolumn for your Cortex XDR data collection configuration.
- Your event hub’s connection string for the designated policy.
- Select.SettingsShared access policies
- In the Shared access policies table, select the applicable policy.
- Copy theConnection string-primary key.
- Storage account for the connection string.
- Open theStorage accountspage, and select the storage account that contains the connection string for the event hub you have configured for data collection by Cortex XDR.
- Select, and clickSecurity + networkingAccess keysShow keys.
- Copy the applicableConnection string.
- (Optional) Configure your Microsoft Azure Event Hub to collect Azure sign-in logs.
- In the Microsoft Azure Console, search forAzure Active Directory, and select.ServicesAzure Active Directory
- Select, andMonitoringDiagnostic settings+Add diagnostic setting.
- Set the following parameters.
- Diagnostic setting name—Specify a name for your Diagnostic setting.
- Logs Categories—Select from the list of applicable sign-inLogs Categories, the ones that you want to configure your designated resource to collect. You can select any of the following categories to configure sign-in logs collection.
- Destination details—SelectStream to event hub, where additional parameters are displayed that you need configure. Ensure that you set the following parameters using the same settings for the Azure Event Hub that you created for collection in XDR.
- Subscription—Select the applicableSubscriptionfor the Azure Event Hub.
- Event hub namespace—Select the applicableSubscriptionfor the Azure Event Hub.
- (Optional)Event hub name—Specify the name of your Azure Event Hub.
- Event hub policy—Select the applicableEvent hub policyfor your Azure Event Hub.
- Saveyour settings.
- Configure the Azure Event Hub collection in Cortex XDR.
- Select.Settings ( )ConfigurationsData CollectionCollection Integrations
- In theAzure Event Hubconfiguration, click theherelink to begin a new configuration.
- Set these parameters.
- Name—Specify a descriptive name for your log collection configuration.
- Log Format—Select the log format for the logs collected from the Azure Event Hub as eitherJSONorraw.When youNormalize and enrich audit logs, the log format is automatically configured. As a result, this option is removed and no longer available to configure.
- VendorandProduct—Specify theVendorandProductfor the type of logs you are ingesting.TheVendorandProductare used to define the name of your XQL dataset (<vendor>_<product>_raw). If you do not define aVendororProduct, Cortex XDR uses the default values ofMSFTandAzurewith the resulting dataset name asMSFT_Azure_raw. To uniquely identify the log source, consider changing the values.When youNormalize and enrich audit logs, theVendorandProductfields are automatically configured. Therefore, these fields are removed as available options.
- Normalize and enrich audit logs—(Optional) You canNormalize and enrich audit logsby selecting the checkbox. If selected, Cortex XDR normalizes and enriches Azure Event Hub audit logs, including any Azure sign-in logs configured for collection, with other Cortex XDR authentication stories across all cloud providers using the same format, which you can query with XQL Search using thecloud_audit_logsandxdr_datadatasets.
- ClickTestto validate access, and then clickEnable.Once events start to come in, a green check mark appears underneath theAzure Event Hubconfiguration with the amount of data received.
Recommended For You
Recommended videos not found.