Skip to main content

API - Azure Event Hub

Nate OBrien
  • Updated
Vendor Azure Event Hub
Collection Method API
Query Syntax: event.provider Azure
Source Types Generic
Generic JSON
Azure Resource
Azure Entra
Azure Resource
Azure Event Hub
Billable Sources Calculation 1 Source Per Generic, Entra, or Application Source, or Resource.
Additional Information Can be configured at both the account and organization level.

Azure Event Hub does not generate data on its own; you must add sources to Azure Event Hub for Huntress SIEM to collect any logs from it.

A Storage Account is required in Azure for Huntress SIEM to store data from Azure Event Hub. 

You must create a new Event Hub for Huntress SIEM, it cannot use an existing Event Hub!

To create the integration between Huntress and Azure Event Hub, follow these steps:

  1. From the Source Management -> Categories page, enter the Azure Event Hub page.
  2. Create a new Azure Event Hub source.

  3. Select the organization to ingest the Azure Event Hub logs into, provide the source with a name, and a description.

  4. Select Save

  5. Note the Azure Blob Collector Endpoint URL and Authorization Header, these will be filled in automatically in the next step so you do not need to save them.

  6. Note the Resource Prefix Guidance under the Azure Resources Setup section. If the exact storage account name is already in use in a tenant anywhere in Azure (global namespace), an error will be generated. So, it is recommended that you use a "more unique" Resource Prefix to avoid this issue.

  7. Select "Deploy to Azure".

  8. Select the Azure Subscription you would like to work with from the dropdown.
  9. We recommend creating a new resource group specific to the Huntress integration. Defaults are adequate for the integration.

  10. Provide a Resource Prefix based on the guidance in the previous Huntress page. For example "huntress".

  11. Select "Review + Create".
  12. Select "Create".

  13. Note in the next page the title "... Deployment is in progress". It may take a few moments for this to complete, at which point the title will update to reflect that.

  14. In the left hand navigation bar, select "Outputs".

  15. From each of the fields listed, copy the value one field at a time into the original Huntress tab.

    1. storageAccountHost will be copied to "Host URL"
    2. storageAccountName will be copied to "Account Name"

    3. storageAccessKey will be copied to "Access Key"

  16. Select "Update" in the Huntress page.

 

At this time, you have completed the integration between Huntress and Azure Event Hub. It can take up to 30 minutes for initial synchronizations to complete. To begin sending data, follow this guide.

 

Troubleshooting

If you're unable to see data come over from Microsoft into Huntress SIEM, you see no errors in your integration, and you've added at least 1 source to your Azure Event Hub (AEH will not send any data until sources are added to AEH), you may need to refresh the capture frequency. This advice comes from Microsoft and is easy to implement with these steps:

  • Go to the Capture settings for the event hub inside your Azure portal
    • Home > Event Hubs >  {your Huntress Event Hub} 
    • Go to the bottom Event Hubs section and find "logs-hub" (or whatever you named the event hub)
    • On the left menu Features > Capture
  • Toggle the capture settings on and off
    • Click "Enable capture" (to turn it off) and save it with "Apply"
    • Turn "Enable capture" back on and save it with "Apply"
  • Toggle the time window
    • Turn "Time window (minutes)" to 1 and save it with "Apply"
    • Turn "Time window (minutes)" to 5 and save it with "Apply"

 

 

 

Related articles