Skip to main content

CollectorsCloud Collectors Administration Guide

Table of Contents

Prerequisites to Configure the Azure Event Hub Cloud Collector

Before you configure the Azure Event Hub Cloud Collector you must complete the following prerequisites.

  • For Shared Access Signature Authentication, complete the following prerequisites.

    • Obtain the consumer group name to be entered while configuring the Cloud Collector.

    • Obtain the connection string to be entered while configuring the Cloud Collector.

    • (Optional) Configure your Event Hub setup for enabling sufficient egress. Consider referring to the tip in this section.

  • For Role Based Access Control Authentication, complete the following prerequisites.

Obtain the Consumer Group Name and Connection String

Before configuring the Azure Event Hub Cloud Collector, use the following steps to obtain the Consumer Group Name and Connection String for your EventHub endpoint.

  1. To obtain the name of the consumer group of the Event Hub, perform the following steps.

    1. On the Azure portal, navigate to the Event Hubs namespace in which the Event Hub with the data you want to retrieve resides.

      EventHub_1_1.png
      EventHub_1_2.png
    2. Select the EventHub where your data to be retrieved resides.

      Eventhub_5.png

      Note

      If connection errors occur after the Cloud Collector configuration, enable local authentication for a given Event Hubs namespace.

      Event_hub_5_local_authentication.png
    3. Navigate to Consumer groups to note the name of the consumer group.

      If only Exabeam is going to read data from the Event Hub, use the default consumer group. Otherwise, create a dedicated consumer group for Exabeam.

      consumer_group1.png

      Note

      Ensure that you create and use a unique consumer group. If you use the same consumer group for two cloud collector instances, it may result in event loss and ingestion issues.

  2. Create a SAS policy with listen-only permissions for Exabeam:

    1. In Event Hub, navigate to Shared access policies.

    2. Click + Add to add a new Policy on the Add SAS Policy page and enable the Listen permission.

    3. Provide a descriptive name for the token which is listen-only, then click Create.

    4. After you see the confirmation message (for example Creating SAS Policy successful), access the policy you just created and note the following.

      • SAS policy name

      • Primary key value

        Note

        The Connection string primary key acts as a connection string for the Azure Event Hub Cloud Collector.

      Event_Hub_4_2.png

      Proceed to configure the Azure Event Hub Cloud Collector.

    Tip

    To configure your Event Hub setup for enabling sufficient egress, refer to the following tips.

    • Examine the incoming number of bytes per second, by navigating to the Event Hub page on the Azure portal.

    • Set up the Event Hub with a good throughput capacity. The egress and ingress capacity of Event Hubs is measured by throughput units (TU). Ensure that your Event Hub provides 1 Throughput Unit (TU) per 2MB/sec egress and 1MB/sec ingress capacity.

    • Ensure that your Event Hub has 32 partitions and at least 1 TU per partition.

      If you notice that your workload requirement exceeds the maximum value recommended for Event Hub Premium which is 32 partitions and 40 TU, you need to migrate to a Dedicated Event Hub Cluster.

    • Consider using the Auto-inflate throughput feature. You can enable Auto-inflate on the Event Hub namespace to automatically increase the number of TUs based on the load. For more information about throughput units, limits, and associated billing, see Event Hubs FAQs and Azure Event Hubs quotas and limits.

Create and Register a Microsoft Entra ID Application

  1. Log into your Azure account by accessing the Azure portal.

  2. From the available Azure Services, select Microsoft Entra ID (formerly called Azure Active Directory).

    ms-entra-id.png
  3. From the left navigation pane, select App Registrations, then click New Registration.

  4. On the Register an application page, enter the following information:

    • Name – Specify a name for the new application. For example, Exabeam MS Entra ID App.

    • Supported account types – Select the account type Accounts in this organizational directory only.

    • Redirect URI – (Optional) Select the Web platform and specify a URI.

  5. Click Register. When registration is complete, the Overview tab of the new application is displayed.

    azure-ad-app-overview.png
  6. Copy and make a note of the values for both the Application (client) ID and the Directory (tenant) ID. You will need these values when configuring the cloud collector.

Generate Secrets

  1. In your new Microsoft Entra ID application, click Certificates & secrets in the left navigation pane.

  2. On the Client Secrets tab, click New client secret and use the following steps.

    1. Enter a Description and an Expire term for the secret.

    2. Click Add. The new client secret is displayed on the Client secrets tab.

      Azure_Portal_client_secret.png
    3. Copy and make a note of the Value and Secret ID. You will need this client secret value when you configure the cloud collector. You will not be able to recover this value later if you don't make a note of it.

      azure-ad-secret.png

Provide Access to EventHub

Use the following steps to obtain Namespace, EventHub name, and Consumer group.

  1. On the Azure portal, navigate to the Event Hubs namespace and click Access control (IAM).

  2. Add a role assignment and assign a role such as Azure Event Hubs Data Sender or Azure Event Hubs Data Owner by navigating to AddAdd role assignment. For more information, see Assign Azure roles using the Azure portal in the Microsoft documentation.

  3. In the Members tab, in Assign access to, select User, group, or service principal.

  4. Click Select Members and search for your Event Hub app by typing the name of the app and select the app name.

  5. Define conditions and scope in the next steps and click Review+assign.

  6. On the Azure portal, navigate to the Event Hubs namespace and note the values for Namespace, Event Hub name, and Consumer Group Name.