USM anywhere Azure log collection

USM anywhere Azure log collection

Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment.

Warning: To process and display the custom events received from the Azure Event Hubs as generic events, USM Anywhere needs these custom events in a specific format. The correct format is an array as a value of a "records" key in JSON format. For example { "records": [ {<event-content>} ] }.

Important: Be sure to review the Azure requir​ements page for any environmental requirements specific to Azure Event Hubs before implementing the streaming of your logs to Azure Event Hubs.

The Azure Sensor can process different types of logs sent through Azure Event Hubs, including but not limited to the following:
  1. Azure Active Directory (AD) logs, including audit logs and sign-in logs
  2. Azure Application Gateway logs
  3. Azure Monitor logs
  4. Azure SQL Database logs
  5. Microsoft Defender Advanced Threat Protection (ATP) logs
  6. Microsoft Intune logs

Important: The Azure Sensor will need to be connected to ports 5671 and 5672 in order to integrate with Azure Event Hubs.

Stream Logs to Azure Event Hubs

Before configuring the Azure Event Hubs integration in USM Anywhere, you must stream the logs you want to be analyzed to Azure Event Hubs. Make sure to stream your logs to the same event hub, because each Azure Sensor can only collect from a single event hub.

To stream logs to Azure Event Hubs

  1. Log in to the Azure portal.
  2. Create an event hub. See Microsoft Azure Quickstart: Create an event hub using Azure portal for instructions.
  3. Go to the event hub you just created and click Shared Access Policies in the sidebar.
  4. Create or edit a policy, and then select ManageSend, and Listen. Streaming to Event Hubs requires these permissions.

  5. Copy the connection string listed in the policy under Connection String–Primary Key.

    Note: You will need to enter this string when configuring the Event Hubs connection in USM Anywhere.

  6. Configure streaming for the logs you want to collect. For example:

    Note: Make sure to enable Stream to an event hub and select the Event Hub you just created as the destination.

Set Up Azure Event Hubs Connection in USM Anywhere

After completing the initial setup of your Azure Event Hubs, return to your USM Anywhere Sensors page to enable the Azure Event Hubs connection in USM Anywhere.

To enable Azure Event Hubs in USM Anywhere

  1. Go to Data Sources > Sensors, and then open the Azure Sensor.

  2. Click the Configuration tab.

  3. Complete the three fields:

    • Event Hub Name: The name of the event hub created during initial setup.

    • Event Hub Connection String: A string containing unique configuration data about your Azure Event Hubs implementation. This is the connection string that was copied under Connection String–Primary Key in the Stream Logs to Azure Event Hubs procedure.
    • Event Hub Consumer Group: The name of your Event Hubs consumer group. You can locate this name by opening your Event Hubs overview in the Azure portal and scrolling to the bottom of the page.
  4. (Optional.) Select Process Generic Events to collect events for which USM Anywhere currently does not have a parser. These events will display as "GENERIC event" under Activity > Events.
  5. Click Save.
  6. Click the Event Hub tab to check the connection status and the number of events processed by each data source.

Viewing Azure Event Hubs Connectivity in USM Anywhere

The Event Hub tab on the Azure Sensor page provides a glimpse into the health of your sensor's connection to Azure Event Hubs. This page contains the name of your event hub, its connectivity status, and the number of events being processed by USM Anywhere.

To view your Azure Event Hubs connection

  1. Go to the Sensors page, and then open your Azure Sensor.
  2. Click the Event Hub tab.

These are the connectivity statuses you may see:

  • Connecting: Azure Event Hubs is currently connecting to the sensor.
  • Processing: Azure Event Hubs is successfully connected.
  • Shutting Down: Azure Event Hubs has begun the shutdown process to allow a different event hub to connect to the sensor.
  • Shutdown: The sensor is not currently connected to an event hub.
  • Error: The connection has experienced an error.

    • Related Articles

    • Azure Sensor Deployment

      Requirements for Azure Sensor Deployment To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment: An ...

    • USM Anywhere Sensor Deployments

      Before you deploy a USM Anywhere Sensor, you must configure your firewall permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress or outbound ports and protocols in the firewall ...

    • Forward NXLog Messages Directly to a USM Anywhere Sensor

      Please follow the steps below to configure NXLog for your Windows Host: On your Windows host, download and install the latest version of NXLog from their website: https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition. On the download page ...

    • AlienApp for Office 365

      Access Requirements This integration requires connectivity between your USM Anywhere Sensor and the Microsoft APIs. If you have an Azure Sensor deployed in your Azure subscription, you should use this sensor to configure the AlienApp because you ...

    • Configuring the AlienApp for SentinelOne

      SentinelOne API Configuration To configure AlienApp for SentinelOne in USM Anywhere, you need to generate an API key in your SentinelOne instance and enter it into USM Anywhere. To set up your SentinelOne API Log in to your SentinelOne management ...