- Cloud Collectors Overview
- Administration
- Administrative Access
- Shareable Service Accounts
- Add Accounts for AWS Cloud Collectors
- Add Accounts for Cisco Duo Cloud Collector
- Add Accounts for Google Cloud Collectors
- Add Accounts for Microsoft Cloud Collectors
- Add Accounts for Okta Cloud Collectors
- Add Accounts for Salesforce Cloud Collectors
- Add Accounts for Splunk Cloud Collectors
- Add Accounts for Trend Micro Cloud Collectors
- Add Accounts for Wiz
- Define a Unique Site Name
- Sign Up for the Early Access Program
- Onboard Cloud Collectors
- Abnormal Security Cloud Collector
- AWS CloudTrail Cloud Collectors
- AWS CloudWatch Cloud Collector
- AWS S3 Cloud Collector
- AWS SQS Cloud Collector
- Azure Activity Logs Cloud Collector
- Azure Log Analytics Cloud Collector
- Azure Event Hub Cloud Collector
- Azure Storage Analytics Cloud Collector
- Box Cloud Collector
- Cato Networks Cloud Collector
- Cisco Duo Cloud Collector
- Cisco Meraki Cloud Collector
- Cisco Umbrella Cloud Collector
- Cribl Cloud Collector
- CrowdStrike Cloud Collectors
- GCP Pub/Sub Cloud Collector
- Microsoft Defender XDR (via Azure Event Hub) Cloud Collector
- Microsoft Entra ID Context Cloud Collector
- Microsoft Entra ID Logs Cloud Collector
- Microsoft 365 Exchange Admin Reports Cloud Collector
- Supported Sources from Microsoft 365 Exchange Admin Reports
- Migrate to the Microsoft 365 Exchange Admin Reports Cloud Collector
- Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Troubleshooting the Microsoft 365 Exchange Admin Reports Cloud Collector
- Microsoft 365 Management Activity Cloud Collector
- Microsoft Security Alerts Cloud Collector
- Microsoft Sentinel (via Event Hub) Cloud Collector
- Netskope Alerts Cloud Collector
- Netskope Events Cloud Collector
- Okta Cloud Collector
- Okta Context Cloud Collector
- Palo Alto Networks Cortex Data Lake Cloud Collector
- Proofpoint On-Demand Cloud Collector
- Proofpoint Targeted Attack Protection Cloud Collector
- Recorded Future Cloud Collector
- Salesforce Cloud Collector
- SentinelOne Alerts Cloud Collector
- SentinelOne Cloud Funnel Cloud Collector
- SentinelOne Threats Cloud Collector
- SentinelOne Cloud Collector
- ServiceNow Cloud Collector
- Splunk Cloud Collector
- Symantec Endpoint Security Cloud Collector
- Trend Vision One Cloud Collector
- Zscaler ZIA Cloud Collector
- Webhook Cloud Collectors
- Wiz Issues Cloud Collector
- Wiz API Cloud Collector
- Troubleshooting Cloud Collectors
Prerequisites to Configure the Azure Storage Analytics Cloud Collector
Before you configure the Azure Storage Analytics Cloud Collector you must complete the following prerequisites:
Create an Event Hub and obtain the consumer group name to be entered while configuring the Cloud Collector.
Obtain the connection string to be entered while configuring the Cloud Collector.
(Optional) Configure your Event Hub setup for enabling sufficient egress. Consider referring to the tip in this section.
Configure Azure Storage Account to enable the cloud collector to pull logs for blobs, queues, and tables.
Obtain the Consumer Group Name and Connection String
Before configuring the Azure Storage Analytics Cloud Collector, Ensure that you create an Event Hub if you do not have one. Use the following steps to obtain the Consumer Group Name and Connection String for your EventHub endpoint.
To obtain the name of the consumer group of the Event Hub, perform the following steps.
On the Azure portal, navigate to the Event Hubs namespace in which the Event Hub with the data you want to retrieve resides.
Select the Event Hub where your data to be retrieved resides.
Note
If connection errors occur after the Cloud Collector configuration, enable local authentication for a given Event Hubs namespace.
Navigate to Consumer groups to note the name of the consumer group.
If only Exabeam is going to read data from the Event Hub, use the default consumer group. Otherwise, create a dedicated consumer group for Exabeam.
Note
Ensure that you create and use a unique consumer group. If you use the same consumer group for two cloud collector instances, it may result in event loss and ingestion issues.
Create a SAS policy with listen-only permissions for Exabeam:
In Event Hub, navigate to Shared access policies.
Click + Add to add a new Policy on the Add SAS Policy page and enable the Listen permission.
Provide a descriptive name for the token which is listen-only, then click Create.
After you see the confirmation message (for example Creating SAS Policy successful), access the policy you just created and note the following.
SAS policy name
Primary key value
Note
The Connection string primary key acts as a connection string for the Azure Event Hub Cloud Collector.
Proceed to configure the Azure Azure Storage Analytics Cloud Collector.
Tip
To configure your Event Hub setup for enabling sufficient egress, refer to the following tips.
Examine the incoming number of bytes per second, by navigating to the Event Hub page on the Azure portal.
Set up the Event Hub with a good throughput capacity. The egress and ingress capacity of Event Hubs is measured by throughput units (TU). Ensure that your Event Hub provides 1 Throughput Unit (TU) per 2MB/sec egress and 1MB/sec ingress capacity.
Ensure that your Event Hub has 32 partitions and at least 1 TU per partition.
If you notice that your workload requirement exceeds the maximum value recommended for Event Hub Premium which is 32 partitions and 40 TU, you need to migrate to a Dedicated Event Hub Cluster.
Consider using the Auto-inflate throughput feature. You can enable Auto-inflate on the Event Hub namespace to automatically increase the number of TUs based on the load. For more information about throughput units, limits, and associated billing, see Event Hubs FAQs and Azure Event Hubs quotas and limits.
Configure Azure Storage Account to Forward Events to your Event Hub
Azure Storage Analytics provides metrics data for a storage account, and logs for blobs, queues, and tables. Use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. For more information, see Storage Analytics in the Microsoft documentation. To enable the cloud collector to pull storage analytics logs, creating an Azure storage account that contains all of your Azure Storage data objects: blobs, files, queues, and tables with diagnostic settings is required.
If you do not have an existing storage account, to create a storage account, refer to the following steps. For detailed instructions, see Create a storage account in Microsoft Azure documentation.
Note
It is recommended to create an Event Hub specifically for storage account logs and use that Event Hub for multiple storage accounts to ensure that storage account logs are streamed to the same Event Hub. Otherwise the cloud collector may ingest any data available in the specified Event Hub.
On the Azure portal, navigate to Azure Services > Storage accounts.
On the Storage accounts page, click Create.
Enter the required information in the Project details and Instance details section. For more information, see Create a storage account in Microsoft Azure documentation.
Click Next: Advanced. If you want to verify the details, click Review.
Retain the default options for the sections: Advanced, Networking, Data protection, Encryption, and Tags. For more information on each field in these sections, see Create a storage account in Microsoft Azure documentation.
Click Create.
The storage account is created.
Navigate to Storage accounts to view the new storage account that you created, then click the name of the storage account that you created.
On your storage account page, navigate to Monitor > Diagnostic Settings.
Configure diagnostic settings for each resource: blob, queue, table, and file. Click the resource and click Add diagnostic setting. For more information, see Diagnostic settings in Azure Monitor in Microsoft Azure documentation.
In the Diagnostic setting section, specify a name for the diagnostic setting, then under Logs, select allLogs.
Additionally, to configure diagnostic setting for each of the resources, refer to the following example for blob diagnostic settings. Based on your requirement, you can select metrics logs that you want the collector to pull.
Select Stream to an event hub, then select the subscription, the Event Hub namespace, the Event Hub name, and the Event Hub policy name, and click Save.
Similarly, you can configure the diagnostic settings for the resources: queue, table, and file based on your requirement.
After the diagnostic settings are saved, the blob, queue, table, or file related logs are streamed to your Event Hub to enable the cloud collector to collect logs for storage account.