Microsoft Azure Event Hubs protocol configuration options

The Microsoft Azure Event Hubs protocol is an outbound and active protocol for IBM® Security QRadar® that collects events from Microsoft Azure Event Hubs.

Important: By default, each Event Collector can collect events from up to 1000 partitions before it runs out of file handles. If you want to collect from more partitions, you can contact IBM Support for advanced tuning information and assistance. For more information, see IBM Support.

The following parameters require specific values to collect events from Microsoft Azure Event Hubs appliances:

Table 1. Microsoft Azure Event Hubs log source parameters
Parameter	Value
Authentication Method	This drop-down field is used to select the authentication method for Azure Event Hub. It supports the following two options: SAS (Shared Access Signature): Connection string-based authentication. (Default Selection) Entra ID: Authentication is provided by Tenant ID, Client ID, and Client Secret. Notes: To create a Microsoft Entra application, see Set up the required Azure resources to export security alerts to IBM QRadar and Splunk - Microsoft Defender for Cloud. To allow Microsoft Entra ID to read from the event hub, see Set up the required Azure resources to export security alerts to IBM QRadar and Splunk - Microsoft Defender for Cloud.
Use Event Hub Connection String	Authenticate with an Azure Event Hub by using a connection string. Notes: The ability to toggle this switch to off is deprecated. Select Authentication Method > SAS (Shared Access Signature) to make this parameter available.
Event Hub Connection String	Authorization string that provides access to an Event Hub. For example, `Endpoint=sb://<Namespace Name>.servicebus.windows.net/;SharedAccess KeyNam Key Name>;SharedAccessKey=<SAS Key>; EntityPath=<Event Hub Name>` Note: Select Authentication Method > SAS (Shared Access Signature) to make this parameter available.
Tenant ID	Used for Azure AD authentication. Note: Select Authentication Method > Entra ID to make this parameter available.
Client ID	The Client ID is a public identifier that is used by Oauth2 for authentication. Note: Select Authentication Method > Entra ID to make this parameter available.
Client Secret	The Client Secret is used to ensure that the user is authorized to obtain an access token. The Client Secret is a password that is only available to the user when it is created. Afterward, it can be obtained only from memory or a written copy. Note: Select Authentication Method > Entra ID to make this parameter available.
Namespace	The name of the top-level directory that contains the Event Hub entities. Note: Select Authentication Method > Entra ID to make this parameter available.
Event Hub Name	The identifier for the Event Hub that you want to access. The Event Hub Name must match one of the Event Hub entities within the namespace. Note: Select Authentication Method > Entra ID to make this parameter available.
Consumer Group	Specifies the view that is used during the connection. Each Consumer Group maintains its own session tracking. Any connection that shares consumer groups and connection information shares session tracking information.
Storage Authentication Method	This drop-down field is used to select the authentication method for Azure Storage. It supports the following two options: Shared Access Signature (SAS) Connection string based authentication. This is default selection. Entra ID Authentication is provided by Tenant ID, Client ID and Client Secret.
Use Event Hub Entra ID Credentials	Use the same Entra ID credentials for the Storage Accounts that were configured for the Azure Event Hub. Set this option to false to provide separate Entra ID credentials for the Storage Account connection.
Tenant ID	A Tenant ID in Azure Entra ID is a unique identifier for Microsoft Entra tenant of an organization, which acts as a container for all its Azure resources, users, and subscriptions. Select Storage Authentication Method>Entra ID and set Use Event Hub Entra ID Credentials to false, to make this parameter available.
Client ID	The Client ID is a public identifier that is used by Oauth2 for authentication. Select Storage Authentication Method>Entra ID and set Use Event Hub Entra ID Credentials to false, to make this parameter available.
Client Secret	The Client Secret is used to ensure that the user is authorized to obtain an access token. The Client Secret is a password that is only available to the user when it is created. Afterwards, it can only be obtained from memory or a written copy. Select Storage Authentication Method>Entra ID and set Use Event Hub Entra ID Credentials to false, to make this parameter available.
Storage Account Name	The name of the storage account that stores Event Hub checkpoint and ownership metadata. Select Storage Authentication Method>Entra ID to make this parameter available
Use Storage Account Connection String	Authenticates with an Azure Storage Account by using a connection string. Note: The ability to toggle this switch to off is deprecated.
Storage Account Connection String	Authorization string that provides access to a Storage Account. Access Key example: `DefaultEndpointsProtocol=https;AccountName=<Storage Account Name>;AccountKey=<Storage Account Key>;EndpointSuffix=core.windows.net` Shared Access Signature example: `BlobEndpoint=<Blob Endpoint>;QueueEndpoint=<Queue Endpoint>;FileEndpoint=<File Endpoint>;TableEndpoint=<Table Endpoint>;SharedAccessSignature=<Access Signature>`
Format Azure Linux Events To Syslog	Formats Azure Linux® logs to a single-line syslog format that resembles standard syslog logging from Linux systems.
Convert VNet Flow Logs to IPFIX	Microsoft Azure VNet Flow Logs. Select this option to send flow logs to the Network Activity tab in QRadar.
Flow HostName	Enable Convert VNet Flow Logs to IPFIX to configure this parameter. The flow processor hostname where the Microsoft Azure VNet Flow Logs are sent.
Flow Port	Enable Convert VNet Flow Logs to IPFIX to configure this parameter. The flow processor port where the Microsoft Azure VNet Flow Logs are sent.
Use as a Gateway Log Source	Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for QRadar to automatically detect one or more log sources. When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events that are being processed.
Log Source Identifier Pattern	When the Use As A Gateway Log Source option is selected, use this option to define a custom log source identifier for events that are processed. If the Log Source Identifier Pattern is not configured, QRadar receives events as unknown generic log sources. The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for log sources to be automatically discovered when applicable. Key is the Identifier Format String, which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups, which can be used to further customize the key (Identifier Format String). Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier is displayed. The following examples show the multiple key-value pair functionality: Patterns `VPC=\sREJECT\sFAILURE` `$1=\s(REJECT)\sOK` `VPC-$1-$2=\s(ACCEPT)\s(OK)` Events `{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}` Resulting custom log source identifier VPC-ACCEPT-OK
Use Predictive Parsing	If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.
Use Proxy	When you configure a proxy, all traffic for the log source travels through the proxy to access the Azure Event Hub. After you enable this parameter, configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not need authentication, you can leave the Proxy Username and Proxy Password fields blank. Note: Digest Authentication for Proxy is not supported in the Java™ SDK for Azure Event Hubs. For more information, see Azure Event Hubs - Client SDKs (https://docs.microsoft.com/en-us/azure/event-hubs/sdks).
Proxy IP or Hostname	The IP address or hostname of the proxy server. This parameter appears when Use Proxy is enabled.
Proxy Port	The port number used to communicate with the proxy. The default value is 8080. This parameter appears when Use Proxy is enabled.
Proxy Username	The username for accessing the proxy server. This parameter appears when Use Proxy is enabled.
Proxy Password	The password for accessing the proxy server. This parameter appears when Use Proxy is enabled.
EPS Throttle	The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000.

The following table describes the Microsoft Azure Event Hubs log source parameters that are deprecated:

Table 2. Deprecated Microsoft Azure Event Hubs log source parameters
Parameter	Value
Deprecated - Namespace Name	This option displays if Use Event Hub Connection String option is set to off. The name of the top-level directory that contains the Event Hub entities in the Microsoft Azure Event Hubs user interface.
Deprecated - Event Hub Name	This option displays if Use Event Hub Connection String option is set to off. The identifier for the Event Hub that you want to access. The Event Hub Name must match one of the Event Hub entities within the namespace.
Deprecated - SAS Key Name	This option displays if Use Event Hub Connection String option is set to off. The Shared Access Signature (SAS) name identifies the event publisher.
Deprecated - SAS Key	This option displays if Use Event Hub Connection String option is set to off. The Shared Access Signature (SAS) key authenticates the event publisher.
Deprecated - Storage Account Name	This option displays if Use Storage Account Connection String option is set to off. The name of the storage account that stores Event Hub data. The Storage Account Name is part of the authentication process that is required to access data in the Azure Storage Account.
Deprecated - Storage Account Key	This option displays if Use Storage Account Connection String option is set to off. An authorization key that is used for storage account authentication. The Storage Account Key is part of the authentication process that is required to access data in the Azure Storage Account.