Dokumen ini menunjukkan cara menyiapkan Azure Event Hub untuk mengirim data keamanan
ke Google Security Operations. Anda dapat membuat hingga 10 feed Azure Event Hub, yang mencakup feed aktif dan tidak aktif.
Untuk menyiapkan feed Azure, selesaikan proses berikut:
Buat hub peristiwa di Azure: siapkan infrastruktur yang diperlukan di lingkungan Azure Anda untuk menerima dan menyimpan aliran data keamanan.
Untuk memastikan penyerapan data yang optimal, deploy namespace Event Hub di region yang sama dengan instance Google SecOps Anda. Men-deploy hub peristiwa di
region yang berbeda dapat mengurangi throughput yang diserap ke Google SecOps.
Tetapkan jumlah partisi ke 40 untuk penskalaan yang optimal.
Untuk membantu mencegah kehilangan data karena batas kuota Google SecOps, tetapkan
waktu retensi yang lama untuk hub peristiwa Anda. Hal ini memastikan bahwa log tidak
dihapus sebelum penyerapan dilanjutkan setelah pembatasan kuota. Untuk mengetahui informasi selengkapnya
tentang retensi peristiwa dan batasan waktu retensi, lihat Retensi peristiwa.
Untuk tingkat dasar dan standar, satu unit throughput (TU) di Azure Event Hub mendukung penyerapan data hingga 1 MB per detik. Jika volume peristiwa masuk melebihi
kapasitas TU yang dikonfigurasi, kehilangan data dapat terjadi. Misalnya, jika Anda mengonfigurasi 5 TU, kecepatan penyerapan maksimum yang didukung adalah 5 MB per detik. Jika peristiwa dikirim pada kecepatan 20 MB per detik, Event Hub dapat mengalami error. Akibatnya, log dapat hilang di tingkat Event Hub sebelum mencapai Google SecOps.
Dapatkan string koneksi hub peristiwa yang diperlukan agar
Google SecOps dapat menyerap data dari hub peristiwa Azure. String koneksi ini memberi otorisasi kepada Google SecOps untuk mengakses dan mengumpulkan data keamanan dari hub peristiwa Anda. Anda memiliki dua opsi untuk menyediakan string koneksi:
Tingkat namespace hub peristiwa: berfungsi untuk semua hub peristiwa dalam namespace. Opsi ini lebih sederhana jika Anda menggunakan beberapa
hub peristiwa dan ingin menggunakan string koneksi yang sama untuk semuanya dalam
penyiapan feed.
Tingkat hub peristiwa: berlaku untuk satu hub peristiwa.
Opsi ini aman jika Anda hanya perlu memberikan akses ke satu hub peristiwa.
Pastikan Anda menghapus EntityPath dari akhir string koneksi.
Misalnya, ubah Endpoint=<ENDPOINT>;SharedAccessKeyName=<KEY_NAME>;SharedAccessKey=<KEY>;EntityPath=<EVENT_HUB_NAME>
menjadi Endpoint=<ENDPOINT>;SharedAccessKeyName=<KEY_NAME>;SharedAccessKey=<KEY>.
Pengguna Microsoft Defender: Saat mengonfigurasi streaming Microsoft Defender, pastikan Anda memasukkan nama hub peristiwa yang ada. Jika Anda mengosongkan kolom ini, sistem dapat membuat hub peristiwa yang tidak perlu dan menggunakan kuota feed Anda yang terbatas.
Agar tetap teratur, gunakan nama hub peristiwa yang cocok dengan jenis log.
Mengonfigurasi feed Azure
Untuk mengonfigurasi feed Azure di Google SecOps, lakukan hal berikut:
Di menu Google SecOps, pilih SIEM Settings, lalu
klik Feeds.
Klik Tambahkan baru.
Di kolom Nama feed, masukkan nama untuk feed.
Dalam daftar Source type, pilih Microsoft Azure Event Hub.
Pilih Jenis log. Misalnya, untuk membuat feed untuk Open Cybersecurity Schema Framework, pilih Open Cybersecurity Schema Framework (OCSF) sebagai Jenis log.
Klik Berikutnya. Jendela Tambahkan feed akan muncul.
Ambil informasi dari hub peristiwa yang Anda buat sebelumnya di portal Azure untuk mengisi kolom berikut:
Nama Event hub: nama Event hub
Grup konsumen hub peristiwa: grup konsumen yang terkait dengan
hub peristiwa Anda
Label penyerapan: Opsional. Label yang akan diterapkan ke peristiwa dari feed ini
Klik Berikutnya. Layar Selesaikan akan muncul.
Tinjau konfigurasi feed Anda, lalu klik Kirim.
Memverifikasi alur data
Untuk memverifikasi bahwa data Anda masuk ke Google SecOps dan hub
peristiwa Anda berfungsi dengan benar, Anda dapat melakukan pemeriksaan berikut:
Di Google SecOps, periksa dasbor dan gunakan penelusuran Pemindaian Log Mentah atau Model Data Terpadu (UDM) untuk memverifikasi bahwa data yang di-ingest ada dalam format yang benar.
Di portal Azure, buka halaman hub peristiwa Anda dan periksa
grafik yang menampilkan byte masuk dan keluar. Pastikan kecepatan masuk dan keluar kira-kira sama, yang menunjukkan bahwa pesan sedang diproses dan tidak ada backlog.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThis guide explains how to set up an Azure Event Hub feed to ingest security data into Google Security Operations, allowing for a maximum of 10 feeds.\u003c/p\u003e\n"],["\u003cp\u003eCreating an Azure Event Hub involves setting up an event hub with a partition count of 32, configuring a long retention time to prevent data loss, and optionally enabling auto inflate for standard tier event hubs.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring the feed in Google SecOps requires providing the event hub name, consumer group, event hub connection string, Azure storage details, and SAS token.\u003c/p\u003e\n"],["\u003cp\u003eIt is necessary to obtain both event hub and Azure blob storage connection strings, alongside a SAS token, to ensure Google SecOps can access and ingest data from the event hub correctly.\u003c/p\u003e\n"],["\u003cp\u003eVerification of the data flow can be done by checking dashboards and search functionality in Google SecOps, as well as monitoring incoming and outgoing bytes in the Azure portal for the event hub.\u003c/p\u003e\n"]]],[],null,["# Create an Azure Event Hub feed\n==============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document shows you how to set up an Azure Event Hub to send security data\nto Google Security Operations. You can create up to 10 Azure Event Hub feeds, which\nincludes both active and inactive feeds.\n| **Note:** Azure feeds collect data continuously. As a result, Google SecOps does not populate the **LAST SUCCEEDED ON** column for these feeds.\nTo set up an Azure feed, complete the following processes:\n\n\u003cbr /\u003e\n\n1. **[Create an event hub in Azure](#create-azure-event-hub):** set up the\n required infrastructure in your Azure environment to receive and store the\n security data stream.\n\n2. **[Configure the feed in Google SecOps](#configure-azure-feed):**\n configure the feed in Google SecOps to connect to your Azure\n event hub and to begin ingesting data.\n\n### Create an Azure Event Hub\n\nTo create an event hub in Azure, do the following:\n\n1. Create an [event hub namespace and event hub](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-create).\n\n - To ensure optimal data ingestion, deploy the Event Hub namespace in the same region\n as your Google SecOps instance. Deploying the event hub in a\n different region can reduce the throughput ingested into Google SecOps.\n\n - Set the partition count to 40 for optimal scaling.\n\n | **Note:** You can't change the partition count later in the standard and basic tiers. Partition count does not affect cost.\n\n \u003cbr /\u003e\n\n - To help prevent data loss due to Google SecOps quota limits, set a\n long retention time for your event hub. This ensures that logs aren't\n deleted before ingestion resumes after a quota throttle. For more information\n about event retention and retention time limitations, see [Event retention](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-features#event-retention).\n\n - For standard tier event hubs, enable **Auto inflate** to automatically scale\n throughput as needed. See [Automatically scale up Azure Event Hubs throughput units](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-auto-inflate) for more information.\n\n - For basic and standard tiers, one throughput unit (TU) in Azure Event Hub supports\n up to 1 MB per second of data ingestion. If the incoming event volume exceeds\n the capacity of the configured TUs, data loss may occur. For example, if you\n configure 5 TUs, the maximum supported ingestion rate is 5 MB per second. If\n events are sent at 20 MB per second, the Event Hub may crash. As a result, logs may\n be lost at the Event Hub level before they reach Google SecOps.\n\n2. [Obtain the event hub connection string](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string#azure-portal) required for\n Google SecOps to ingest data from the Azure event hub. This\n connection string authorizes Google SecOps to access and collect\n security data from your event hub. You have two options for providing a\n connection string:\n\n - **Event hub namespace level**: works for all event\n hubs within the namespace. It's a simpler option if you're using multiple\n event hubs and want to use the same connection string for all of them in\n your feed setup.\n\n - **Event hub level** : applies to a single event hub.\n This is a secure option if you need to grant access to only one event hub.\n Ensure that you remove `EntityPath` from the end of the connection string.\n\n For example, change `Endpoint=\u003cENDPOINT\u003e;SharedAccessKeyName=\u003cKEY_NAME\u003e;SharedAccessKey=\u003cKEY\u003e;EntityPath=\u003cEVENT_HUB_NAME\u003e`\n to `Endpoint=\u003cENDPOINT\u003e;SharedAccessKeyName=\u003cKEY_NAME\u003e;SharedAccessKey=\u003cKEY\u003e`.\n3. Configure your applications, such as [Web Application Firewall](https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor) or [Microsoft Defender](https://learn.microsoft.com/en-us/defender),\n to send their logs to the event hub.\n\n **Microsoft Defender users:** When configuring Microsoft Defender streaming,\n ensure that you enter your existing event hub name. If you leave this field blank, the\n system might create unnecessary event hubs and consume your limited feed quota.\n To keep things organized, use event hub names that match the log type.\n\n### Configure the Azure feed\n\nTo configure the Azure feed in Google SecOps, do the following:\n\n1. In the Google SecOps menu, select **SIEM Settings** , and then\n click **Feeds**.\n\n2. Click **Add new**.\n\n3. In the **Feed name** field, enter a name for the feed.\n\n4. In the **Source type** list, select **Microsoft Azure Event Hub**.\n\n5. Select the **Log type** . For example, to create a feed for Open Cybersecurity\n Schema Framework, select **Open Cybersecurity Schema Framework (OCSF)** as the\n **Log type**.\n\n6. Click **Next** . The **Add feed** window appears.\n\n7. Retrieve the information from the event hub that you created earlier in the\n Azure portal to fill in the following fields:\n\n - **Event hub name**: the event hub name\n - **Event hub consumer group**: the consumer group associated with your\n event hub\n\n | **Caution:** Don't create subscribers or retrieve data programmatically through the Data Explorer tab in the Azure portal for the consumer group. Doing so may result in data loss.\n - **Event hub connection string**: the event hub connection string\n\n - **Azure storage connection string**: Optional. The blob storage connection string\n\n - **Azure storage container name**: Optional. The blob storage container name\n\n - **Azure SAS token**: Optional. The SAS token\n\n - **Asset namespace** : Optional. The [asset namespace](/chronicle/docs/investigation/asset-namespaces)\n\n - **Ingestion labels**: Optional. The label to be applied to the events from this feed\n\n | **Note:** Google SecOps manages its own checkpointing when ingesting data from Azure Event Hub. Only the event hub connection string is required. The other optional fields don't affect the checkpointing.\n8. Click **Next** . The **Finalize** screen appears.\n\n9. Review your feed configuration, and then click **Submit**.\n\n### Verify data flow\n\nTo verify that your data is flowing into Google SecOps and your\nevent hub is functioning correctly, you can perform these checks:\n\n- In Google SecOps, examine the dashboards and use the Raw Log Scan\n or Unified Data Model (UDM) search to verify that the ingested data\n is present in the correct format.\n\n- In the Azure portal, navigate to your event hub's page and inspect the\n graphs that display incoming and outgoing bytes. Ensure that the incoming and\n outgoing rates are roughly equivalent, indicating that messages are being\n processed and there is no backlog.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]