Event Hub Source (Beta)
Onboarding Azure Event Hub as a Data Transport log source in the Panther Console
Overview
Panther supports configuring an Azure Event Hub as a Data Transport to pull log data directly from your Event Hub namespace, allowing you to write detections and perform investigations on this processed data.
Data sent to Panther can be in various formats, including JSON or plain text.
How to set up an Azure Event Hub log source in Panther
Prerequisite
Before configuring Azure Event Hub in Panther, verify that the necessary Azure resource provider is registered for your subscription.
Log in to the Azure Portal and navigate to Subscriptions.
Select the subscription where your Event Hub resources are located.
Under the subscription settings, select Resource providers.
In the Filter by name field, search for
Microsoft.EventHub
.Ensure that the Status column for
Microsoft.EventHub
shows Registered. If the status is instead NotRegistered, register it by following the Azure Register resource provider documentation.
Step 1: Configure Azure Event Hub in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper-right corner, click Create New.
Click the Custom Log Formats tile.
In the Azure Event Hub tile on the slide-out panel, click Start.
On the Basic Info page, fill in the following:
Name: Enter a descriptive name for your log source.
Log Types: Select one or more log types to associate with this log source.
Click Setup.
On the Log Format page, select the stream type of the incoming logs:
Auto
Lines
JSON
JSON Array
The Azure Event Hub integration is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Click Continue.
The Configuration page will load.
Step 2: Add a shared access policy to your Event Hub
To allow Panther to access your Event Hub, create a shared access policy with the Listen permission.
In a separate browser tab, log in to the Azure Portal, then navigate to Event Hubs.
Select the Event Hub namespace in which your logs are hosted.
On the Overview page, in the Event Hubs section, select the name of the Event Hub you want to onboard.
Under Settings, click Shared access policies.
Click + Add to create a new policy.
In the Add SAS Policy slide-out panel:
In the Policy name field, provide a descriptive name (e.g.,
PantherListener
).Click the Listen checkbox.
Click Create.
Click the name of the policy you just created.
Copy the Primary connection string value and store it in a secure location, as you’ll need it in the next step.
Step 3: Finish Azure Event Hub source setup in Panther
Return to your Event Hub source setup in the Panther Console.
On the Configuration page, provide the following configuration values:
Connection String: Enter the Primary connection string value you copied in the previous step.
(Optional) Consumer Group: If you have configured a consumer group in your Event Hub, you can specify it here. Otherwise, the default consumer group,
$Default
, will be used.
Click Setup. You will be directed to a success screen:

You can optionally enable one or more Detection Packs.
If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Viewing ingested logs
After your log source is configured, you can search ingested data using Search or Data Explorer.
Last updated
Was this helpful?