Integration with SIEM tool

Calogero Quattrocchi 71 Reputation points
2022-05-13T07:52:50.9+00:00

Hi,
I am looking for detailed information about the integration of Event Hubs with third party SIEM tools (like LogRhythm).
What I cannot find is which information are required from the 3rd party tool to collect the data from Event Hubs.
For example:

  • Which information do I need to provide from Azure Event Hub to the SIEM responsible? The Event hub namespace URL only or other stuff?
  • Which IP ports should be opened if we have a FW between SIEM & Event Hub?
  • Which permissions must be setup to authorize SIEM tool to collect data from Event Hub? And how to setup?
  • etc...

Another related question is do I need many different consumer groups for one SIEM solution?
What could be the reason to have different consumer groups?
We would like to reduce costs (Basic Tier) but we do not want to be too limited in functionality.

Many Thanks
Regards

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
555 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruno Lucas 4,411 Reputation points MVP
    2022-05-15T05:08:49.097+00:00

    Hi CalogeroQuattrocchi-6377,
    Look like there is some info here. I don't have a subscription to logrhythm.com but this should point you to the right direction

    https://docs.logrhythm.com/docs/OCbeats/azure-event-hubs-beat/event-hub-beat-using-connection-strings/configure-azure-event-hubs-using-connection-strings

    201970-image.png

    as the instructions says, you need the connection string to the instance, not the namespace. you will find that under "shared access policies". if you don't have one you will need to create

    202061-image.png

    This covers how to enter the info from above and configure the event hub beat:
    https://docs.logrhythm.com/docs/OCbeats/azure-event-hubs-beat/event-hub-beat-using-connection-strings/initialize-the-event-hubs-beat-using-connection-strings

  2. Calogero Quattrocchi 71 Reputation points
    2022-05-18T12:28:51.03+00:00

    Hi, Another related question is do I need many different consumer groups for one SIEM solution?
    What could be the reason to have different consumer groups?
    We would like to reduce costs (Basic Tier) but we do not want to be too limited in functionality.

    Many Thanks
    Regards

  3. Calogero Quattrocchi 71 Reputation points
    2022-05-18T12:41:52.81+00:00

    Hi (again),
    For another customer, we will need to integrate the Rapid7 SIEM solution with Azure Monitor.
    However, following the link https://learn.microsoft.com/en-us/azure/azure-monitor//partners?WT.mc_id=Portal-Microsoft_Azure_Monitoring, Rapid7 is not an official partner.
    Is it planned to integrate Rapid7?
    What could be an alternative,
    Thanks
    Regards,

  4. Calogero Quattrocchi 71 Reputation points
    2022-05-23T07:27:07.27+00:00

    Thanks for your feedback. But what could be the reason to have different consumer groups?
    Thanks

    0 comments