Skip to content

Azure Event Hub Transport Method Overview🔗

Summary🔗

Azure Event Hubs is a cloud-based data streaming service that can ingest and process millions of events per second. It's a fully-managed, real-time service that's scalable, secure, and simple. Microsoft has positioned event hubs to be a target destination for Azure Monitor, which enables collection of a wide variety of security telemetry within Microsoft Azure. Additionally, many third-party products support streaming data to event hubs.

XDR supports the ability to ingest data, regardless of source, from an event hub.

By integrating with Azure Event Hubs, XDR significantly enhances its data ingestion capabilities, ensuring comprehensive coverage across a diverse range of security telemetry. This integration not only facilitates the seamless acquisition of data from various Microsoft Azure sources, but also extends the platform's reach to incorporate information from multiple third-party services.

As a result, XDR is equipped to provide a more holistic view of the security landscape, enabling robust analysis and rapid response to potential threats. This breadth of coverage ensures that users benefit from a unified and enriched security posture, leveraging the full spectrum of available security data.

Reference Architecture🔗

Azure Event Hub Reference Architecture

Example Scenario🔗

Microsoft has just released a new data source that XDR does not yet support as an optimized integration, but Azure Monitor supports streaming diagnostic logs, and is already in use within the customer environment to stream logs to a log analytics workspace. As such, the Azure Monitor diagnostic settings can be updated to forward logs to an event hub, and since XDR supports the ability to ingest data from an event hub, it can now support collection of data from this new data source.

Take the following actions to fully integrate with this data source:

  1. Follow the setup instructions to enable ingest of the data source.
  2. Set up Custom Parsers to enable normalization of the ingested data.
  3. Set up Custom Alert Rules to enable alerting on security findings from the normalized data.

Setup🔗

Azure event hubs can be configured by following the setup documentation.