Event Hub Source (Beta)

Onboarding Azure Event Hub as a Data Transport log source in the Panther Console

Overview

The Azure Event Hub integration is in open beta starting with Panther version 1.114, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports configuring an Azure Event Hub as a Data Transport to pull log data directly from your Event Hub namespace, allowing you to write detections and perform investigations on this processed data.

Data sent to Panther can be in various formats, including JSON or plain text.

How to set up an Azure Event Hub log source in Panther

Prerequisite

Before configuring Azure Event Hub in Panther, verify that the necessary Azure resource provider is registered for your subscription.

  1. Log in to the Azure Portal and navigate to Subscriptions.

  2. Select the subscription where your Event Hub resources are located.

  3. Under the subscription settings, select Resource providers.

  4. In the Filter by name field, search for Microsoft.EventHub.

  5. Ensure that the Status column for Microsoft.EventHub shows Registered. If the status is instead NotRegistered, register it by following the Azure Register resource provider documentation.

Step 1: Configure Azure Event Hub in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the upper-right corner, click Create New.

  3. Click the Custom Log Formats tile.

  4. In the Azure Event Hub tile on the slide-out panel, click Start.

  5. On the Basic Info page, fill in the following:

    • Name: Enter a descriptive name for your log source.

    • Log Types: Select one or more log types to associate with this log source.

  6. Click Setup.

  7. On the Log Format page, select the stream type of the incoming logs:

    • Auto

    • Lines

    • JSON

    • JSON Array

    If you plan to ingest Azure logs (such as Activity or Resource logs) with this Event Hub:

    1. Select JSON Array.

    2. Set the Is the JSON Array enclosed in a field? toggle to Yes.

    3. In the Enclosing Field Name field, enter records.

  8. The Azure Event Hub integration is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

  9. Click Continue.

    • The Configuration page will load.

Step 2: Add a shared access policy to your Event Hub

To allow Panther to access your Event Hub, create a shared access policy with the Listen permission.

  1. In a separate browser tab, log in to the Azure Portal, then navigate to Event Hubs.

  2. Select the Event Hub namespace in which your logs are hosted.

  3. On the Overview page, in the Event Hubs section, select the name of the Event Hub you want to onboard.

    Under an "eventhubnamespacenickk" title is a dashboard. An arrow is drawn to a section header reading "Event Hubs (3)."
  4. Under Settings, click Shared access policies.

  5. Click + Add to create a new policy.

  6. In the Add SAS Policy slide-out panel:

    1. In the Policy name field, provide a descriptive name (e.g., PantherListener).

    2. Click the Listen checkbox.

    3. Click Create.

  7. Click the name of the policy you just created.

  8. Copy the Primary connection string value and store it in a secure location, as you’ll need it in the next step.

Step 3: Finish Azure Event Hub source setup in Panther

  1. Return to your Event Hub source setup in the Panther Console.

  2. On the Configuration page, provide the following configuration values:

    • Connection String: Enter the Primary connection string value you copied in the previous step.

    • (Optional) Consumer Group: If you have configured a consumer group in your Event Hub, you can specify it here. Otherwise, the default consumer group, $Default, will be used.

      Under a "Configuration" title is the header "Create a Connection string in your Azure Portal." There are two form fields: Connection String and Consumer Group (Optional).
  3. Click Setup. You will be directed to a success screen:

The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
  • You can optionally enable one or more Detection Packs.

  • If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.

  • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

    The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

Last updated

Was this helpful?