Skip to content

Microsoft Azure Event Hubs Integration Guide🔗

The following instructions are for configuring an integration of Azure Event Hubs to facilitate ingestion into Secureworks® Taegis™ XDR.

Connectivity Requirements🔗

Important

Event Hub(s) integrated with Secureworks® Taegis™ XDR must be accessible from the Internet (all IPv4 addresses).

Configuration Prerequisites🔗

Important

Secureworks® Taegis™ XDR supports the Standard, Premium, and Dedicated Event Hubs tiers. The Basic tier is NOT supported.

Note

Secureworks® Taegis™ XDR supports integration of Azure Event hubs from Azure commercial cloud, Azure Government and Department of Defense (DoD) in Azure Government and US Government (GCC) and US Government High (GCC-High).

Note

The following prerequisites are required before beginning the event hub integration process:

Gather Required Information🔗

The following information is required to integrate an event hub with XDR:

  1. Integration name — The integration name can be any value of your choice, and is made to uniquely identify the integration within XDR.

  2. Event hub namespace hostname — The event hub namespace hostname is a fully qualified domain name used to connect to the event hub. From the Azure Portal, it can be viewed by navigating to Event Hubs -> Select the event hub namespace to be integrated -> View the Host name value on the Overview.

    View Event Hub Namespace Hostname

  3. Event hub name — From the event hub namespace, select Entities -> Event Hubs. A list of event hub names displays. Select the event hub name to be integrated.

  4. Connection string — From within the event hub, navigate to Settings -> Shared access policies. Select the Add button to create a new shared access policy for XDR. The policy name can be any value of your choosing, but should contain Listen access. Once the key is created, click on the key from the corresponding list and copy the Primary Connection String value. For example, Endpoint=sb://<NamespaceName>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<EventHubName>

    Add SAS Policy

Performance Considerations and Scoping🔗

The XDR consumer will scale dynamically to use all available partitions, up to a maximum of 200 partitions. It is the responsibility of the Event Hubs owner to maintain the necessary server-side configurations to enable the required throughput performance for the data sources to be ingested.

In some cases where the server is limiting throughput, a ServerBusyException will display in the API Query Log when viewing the integration details from the Cloud APIs page. Customers can utilize this log to determine if performance setting adjustments are required. In cases where additional partitions are needed/configured, please contact support to increase the number of parallel consumers.

Consider reviewing the following documentation on performance settings of event hubs:

Note

Proactively scoping the size of an event hub is outside the scope of this document. Due to data sourcing from a variety of possible sources, determining size of any data source before being sent to an event hub would not be possible for documentation purposes. For Azure Monitor produced logs, utilizing a Azure Log Analytics to determine usage may be possible, but could incur additional costs. Please refer to Microsoft's cost and data analytics tools to assist with scoping exercises.

Enter the Required Information in XDR🔗

In XDR, follow these steps:

  1. From the Taegis Menu, select Integrations → Cloud APIs.

  2. Select Add an Integration from the top of the page.

    Add an Integration

  3. Select the Custom tab and choose Set Up from the Azure Event Hubs card.

  4. Fill in the required fields as described in Gather Required Information.

    Add Azure Event Hubs Integration