Cloud database service protection Azure setup

Edit online

Use database activity monitoring to provide cloud database service protection for Azure Event Hubs.

You can use database activity monitoring to provide cloud database service protection for Azure Event Hubs with Guardium®. Before you can define a Guardium cloud database service account for Azure, you need to set up your Azure account or gather information about your existing account.

Note:
  • Cloud database service protection for Azure Event Hubs works with Microsoft Azure SQL Database, Azure SQL Managed Instance, and Microsoft Azure Cosmos DB.
  • To use cloud database service protection with Azure, you need to be able to create consumer groups, which requires the Azure Standard Pricing Tier. You cannot use the $Default consumer group.
  • 12.1 and later For 12.1 and later versions of Guardium, you can configure a single Azure event hub for different Azure cloud databases of the same type.
Important: If you are using Azure SQL Managed Instance, you must enable logging at both the server and database levels before you define the cloud database service account.
  1. Make sure that the TCP 443, 5671, and 5672 ports are open.
  2. Use SQL Server Management Studio (SSMS) to set up and enable a Server Audit Specification that sends SQL Security Audit Events to the event hub.
  3. From your managed database, set up and enable the Database Audit Specification.
  4. On the Azure Managed Instance page, browse to Monitoring > Diagnostic Settings > Logs > Categories, and then select SQL Security Audit Event.

Gathering Microsoft™ Azure information

To use database activity monitoring, you need the following information about each Microsoft Azure event hub that you want to monitor. These parameters are created when you configure an Azure event hub. For detailed information about configuring Azure, see the Microsoft Azure documentation. Find or create the following Azure parameters:
  • Namespace

    The Event Hubs namespace.

  • Event Hub Name

    Created from within the Event Hubs namespace.

  • Shared access policy name and key

    Located within the Event Hubs namespace. To create a shared access policy and generate a shared access key, select Event Hubs Namespace > Settings > Shared Access Policies > Add. Enter your policy name and select the Manage option.

  • Consumer Group Name

    Located within the Event Hubs Instance page for the selected event hub. From Entities, select or create a consumer group.

    Notes:

    If you use the same consumer group for multiple collectors, traffic is split between the collectors. If you create a consumer group for each collector, each collector gets its own copy of the traffic.

    You cannot use the $Default consumer group.

  • Storage Connection String
    Create a storage account (from the Azure dashboard > All services) and then, from Storage accounts, select Shared access signature to generate a shared access signature and connection string. The Storage account contains checkpoints for consumer progress in the Event Hubs partition. For example:
    BlobEndpoint=https://mystoragename.blob.core.windows.net/;QueueEndpoint=https://mystoragename.queue.core.windows.net/;FileEndpoint=https://mystoragename.file.core.windows.net/;TableEndpoint=https://mystoragename.table.core.windows.net/;SharedAccessSignature=sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2025-09-16T00:54:06Z&st=2020-09-15T16:54:06Z&spr=https&sig=q%2FTuyiJqkNgfgdfgdfgdfgzaNj3V7Y0cr2EbLqol6Hg%3D
    Note: On the Shared access signature window, change the expiry end date to meet your requirements.
  • Cluster resource ID
    Find the cluster (or database) resource string as follows:
    • For Azure SQL, go to Azure dashboard > Properties > Resource ID.
    • For any Cosmos data source, the resource ID is the part of the URL that starts with /subscriptions and ends with the data source name. You can copy the resource ID from the URL. For example, if the URL for Microsoft Azure is:
      https://portal.azure.com/#@company.onmicrosoft.com/resource/subscriptions/8333367e-1234-467d-b3fc-5b78c5721df0/resourceGroups/rg1/providers/Microsoft.DocumentDb/databaseAccounts/ibmcosmostable1/overview

      Then the Cosmos resource ID is:

      /subscriptions/8333367e-1234-467d-b3fc-5b78c5721df0/resourceGroups/rg1/providers/Microsoft.DocumentDb/databaseAccounts/ibmcosmostable1

    12.1 and later For 12.1 and later versions of Guardium, you don't need to create the Azure parameter Cluster resource ID.

After you create your account and have the necessary information, you can define the cloud database service accounts that you need.

Tips and tricks

  • Before you start, create standard naming conventions to prevent later confusion. Consider including the name of the Event Hub and the name of the database that you are monitoring for each related element. For example, if the database name is use1-db5, use the following naming conventions:
    • Namespace: use1-ehn1
    • Shared Access: use1-ehn1-sa1
    • Event Hub: use1-db5-ehn1-eh3
    • Consumer Group: use1-db5-ehn1-eh3-cg
  • From the Guardium collector, make sure that outbound ports 443 and 5671 are available for the connections between the collector and Azure Event Hub.
  • When you create a namespace, consider selecting Enable Auto-Inflate.
  • Cosmos databases do not use usernames. Therefore, usernames are never returned from Cosmos.
  • To help debug database activity monitoring issues, use the Support CLI commands of support store datastreams_diag and support must_gather datastreams_issues. In general, use Support CLI commands only under the guidance of IBM Technical Support. For more information, see Support CLI Commands.
  • Safeguarding your storage connection string is always important because it contains sensitive data about your storage account. So, regularly regenerate your storage connection string to help ensure the highest level of security for your storage. For more information about configuring storage connection strings, see the Azure Blob Storage documentation.