question

CalogeroQuattrocchi-6377 avatar image
0 Votes"
CalogeroQuattrocchi-6377 asked CalogeroQuattrocchi-6377 answered

Integration with SIEM tool

Hi,
I am looking for detailed information about the integration of Event Hubs with third party SIEM tools (like LogRhythm).
What I cannot find is which information are required from the 3rd party tool to collect the data from Event Hubs.
For example:
- Which information do I need to provide from Azure Event Hub to the SIEM responsible? The Event hub namespace URL only or other stuff?
- Which IP ports should be opened if we have a FW between SIEM & Event Hub?
- Which permissions must be setup to authorize SIEM tool to collect data from Event Hub? And how to setup?
- etc...

Another related question is do I need many different consumer groups for one SIEM solution?
What could be the reason to have different consumer groups?
We would like to reduce costs (Basic Tier) but we do not want to be too limited in functionality.

Many Thanks
Regards

azure-event-hubs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrunoLucas-9843 avatar image
0 Votes"
BrunoLucas-9843 answered BrunoLucas-9843 commented

Hi CalogeroQuattrocchi-6377,
Look like there is some info here. I don't have a subscription to logrhythm.com but this should point you to the right direction

https://docs.logrhythm.com/docs/OCbeats/azure-event-hubs-beat/event-hub-beat-using-connection-strings/configure-azure-event-hubs-using-connection-strings

201970-image.png

as the instructions says, you need the connection string to the instance, not the namespace. you will find that under "shared access policies". if you don't have one you will need to create

202061-image.png

This covers how to enter the info from above and configure the event hub beat:
https://docs.logrhythm.com/docs/OCbeats/azure-event-hubs-beat/event-hub-beat-using-connection-strings/initialize-the-event-hubs-beat-using-connection-strings



image.png (67.6 KiB)
image.png (19.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CalogeroQuattrocchi-6377 ,

Just checking in to see if the above answer helped. If this answers your query, do click 130616-image.png and upvote 130671-image.png for the same. And, if you have any further query do let us know.

0 Votes 0 ·

Many thanks for those vey useful links

0 Votes 0 ·
BrunoLucas-9843 avatar image BrunoLucas-9843 CalogeroQuattrocchi-6377 ·

hi @CalogeroQuattrocchi-6377 , I see you unverified the answer. was there any problem?

0 Votes 0 ·
CalogeroQuattrocchi-6377 avatar image
0 Votes"
CalogeroQuattrocchi-6377 answered BrunoLucas-9843 commented

Hi, Another related question is do I need many different consumer groups for one SIEM solution?
What could be the reason to have different consumer groups?
We would like to reduce costs (Basic Tier) but we do not want to be too limited in functionality.

Many Thanks
Regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CalogeroQuattrocchi-6377 , sorry, missed the basic tier part. to create extra consumer group you need to upgrade to the next tier
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-quotas. but the basic has 1 , that means the name for that consumer group is '$Default'
203684-image.png




0 Votes 0 ·
image.png (11.6 KiB)
CalogeroQuattrocchi-6377 avatar image
0 Votes"
CalogeroQuattrocchi-6377 answered BrunoLucas-9843 commented

Hi (again),
For another customer, we will need to integrate the Rapid7 SIEM solution with Azure Monitor.
However, following the link https://docs.microsoft.com/en-us/azure/azure-monitor//partners?WT.mc_id=Portal-Microsoft_Azure_Monitoring, Rapid7 is not an official partner.
Is it planned to integrate Rapid7?
What could be an alternative,
Thanks
Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CalogeroQuattrocchi-6377 ,
I think for this type of question we would need the help of one of the Microsoft staff guys. they usually monitor questions here. if you don't get an answer, I suggest you post this Rapid7 question again as a new thread or contact Rapid 7 directly.

Regards,
Bruno

0 Votes 0 ·
CalogeroQuattrocchi-6377 avatar image
0 Votes"
CalogeroQuattrocchi-6377 answered

Thanks for your feedback. But what could be the reason to have different consumer groups?
Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.