# Event Hub Source
## Overview
Panther supports configuring an [Azure Event Hub](https://learn.microsoft.com/en-us/azure/event-hubs/) as a Data Transport to pull log data directly from your Event Hub namespace, allowing you to write detections and perform investigations on this processed data.
Data sent to Panther can be in various formats, including JSON or plain text.
## How to set up an Azure Event Hub log source in Panther
### Prerequisites
* You have an [Event Hubs namespace](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-features#namespace) and within it, an Event Hub.
* Verify that the necessary Azure resource provider is registered for your subscription:
1. Log in to the Azure Portal and navigate to **Subscriptions**.
2. Select the subscription where your Event Hub resources are located.
3. Under the subscription settings, select **Resource providers**.
4. In the **Filter by name** field, search for `Microsoft.EventHub`.
5. Ensure that the **Status** column for `Microsoft.EventHub` shows **Registered**. If the status is instead **NotRegistered**, register it by following the Azure [Register resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) documentation.
### Step 1: Configure Azure Event Hub in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. In the upper-right corner, click **Create New**.
3. Click the **Azure Event Hub** tile.
4. On the **Basic Info** page, fill in the following:
* **Name**: Enter a descriptive name for your log source.
* **Log Types**: Select one or more log types to associate with this log source.
5. Click **Setup**.
6. On the **Log Format** page, select the [stream type](https://docs.panther.com/custom-log-types/reference#stream-type) of the incoming logs:
* **Auto**
* **Lines**
* **JSON**
* **JSON Array**
{% hint style="warning" %}
If you plan to ingest Azure logs (such as Activity or Resource logs) with this Event Hub:
1. Select **JSON Array**.
2. Set the **Is the JSON Array enclosed in a field?** toggle to **Yes**.
3. In the **Enclosing Field Name** field, enter `records`**.**
{% endhint %}
7. Click **Continue**.
* The **Configuration** page will load.
### Step 2: Add a shared access policy to your Event Hub
To allow Panther to access your Event Hub, create a [shared access policy](https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies) with the **Listen** permission:
1. In a separate browser tab, log in to the Azure Portal, then navigate to **Event Hubs**.
2. Select the Event Hub namespace in which your logs are hosted.
3. On the **Overview** page, in the E**vent Hubs** section, select the name of the Event Hub you want to onboard.
4. Under **Settings**, click **Shared access policies**.
5. Click **+ Add** to create a new policy.
6. In the **Add SAS Policy** slide-out panel:
1. In the **Policy name** field, provide a descriptive name (e.g., `PantherListener`).
2. Click the **Listen** checkbox.
3. Click **Create**.
7. Click the name of the policy you just created.
8. Copy the **Primary connection string** value and store it in a secure location, as you’ll need it in the next step.
### Step 3: Finish Azure Event Hub source setup in Panther
1. Return to your Event Hub source setup in the Panther Console.
2. On the **Configuration** page, provide the following configuration values:
* **Connection String**: Enter the **Primary connection string** value you copied in the previous step.
* (Optional) **Consumer Group**: If you have configured a [consumer group](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-features#consumer-groups) in your Event Hub, you can specify it here. Otherwise, the default consumer group, `$Default`, will be used.
3. Click **Setup**. You will be directed to a success screen:
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* If you have not done so already, click **Attach or Infer Schemas** to attach one or more schemas to the source.
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
## Viewing ingested logs
After your log source is configured, you can search ingested data using [Search](https://docs.panther.com/search/search-tool) or [Data Explorer](https://docs.panther.com/search/data-explorer).
{% endhint %}
7. Click **Continue**.
* The **Configuration** page will load.
### Step 2: Add a shared access policy to your Event Hub
To allow Panther to access your Event Hub, create a [shared access policy](https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies) with the **Listen** permission:
1. In a separate browser tab, log in to the Azure Portal, then navigate to **Event Hubs**.
2. Select the Event Hub namespace in which your logs are hosted.
3. On the **Overview** page, in the E**vent Hubs** section, select the name of the Event Hub you want to onboard.
