Connecting to Azure Event Hubs
To stream data to IBM Security Guardium® Insights, you must first connect to your data sources. Learn how to connect to Azure.
Before you begin
Ensure that Guardium Insights supports the data source environment that you will connect to.
- Cloud database service protection for Azure event hubs works with Microsoft Azure SQL Database, Azure SQL Managed Instance, and Microsoft Azure Cosmos DB.
- To use cloud database service protection with Azure, you need to be able to create Consumer Groups, which requires the Azure Standard Pricing Tier. You cannot use the $Default Consumer Group.
- Make sure that the ssh, 5671, and 5672 ports are open.
- Use SQL Server Management Studio (SSMS) to set up a and enable a Server Audit Specification that sends SQL Security Audit Events to the Event Hub.
- From your managed database, set up and enable the Database Audit Specification.
- On the Azure Managed Instance page, browse to Monitoring >Diagnostic Settings > Logs > Categories, and then select SQL Security Audit Event.
Gathering Microsoft Azure information
Before you can define a Guardium cloud database service account for Azure, you need to set up your Azure account or gather information about your existing account.
- Namespace: The Event Hubs namespace.
- Event Hub Name: Created from within the Event Hubs namespace.
- Shared access policy name and key: From the Event
Hubs Namespace. To create a shared access policy, select Event Hubs Name >
Shared Access Policy > your policy name to generate a shared access key.
Note: Do not use the shared access policy in the Event Hub.
Select Manage, Send, and Listen options for the Policy Name.
- Consumer Group Name: From the Event Hubs Instance page for the selected
Event Hub. From Entities, select or create a Consumer Group.Notes:
If you use the same Consumer Group for multiple collectors, traffic is split between the collectors. If you create a Consumer Group for each collector, each collector gets its own copy of the traffic.
You cannot use the $Default Consumer Group.
- Storage Connection String: Create a storage account (from the
) and then from Storage accounts, select Shared access signature
to generate a shared access signature and connection string. The Storage account contains
checkpoints for consumer progress in the Event Hubs partition. For
example:
BlobEndpoint=https://mystoragename.blob.core.windows.net/;QueueEndpoint=https://mystoragename.queue.core.windows.net/;FileEndpoint=https://mystoragename.file.core.windows.net/;TableEndpoint=https://mystoragename.table.core.windows.net/;SharedAccessSignature=sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2025-09-16T00:54:06Z&st=2020-09-15T16:54:06Z&spr=https&sig=q%2FTuyiJqkNgfgdfgdfgdfgzaNj3V7Y0cr2EbLqol6Hg%3D
Note: On the Shared access signature pane, change the expiry end date to meet your requirements. - Cluster resource Id: To find the cluster (or database) resource string:
- For AzureSQL - From the Azure dashboard, browse to .
- For any Cosmos data source - The resource ID is the part of the URL that starts with
/subscriptions and ends with the data source name. You can
copy the resource ID from the URL, for example, if the URL for Microsoft Azure
is:
https://portal.azure.com/#@company.onmicrosoft.com/resource/subscriptions/8333367e-1234-467d-b3fc-5b78c5721df0/resourceGroups/rg1/providers/Microsoft.DocumentDb/databaseAccounts/ibmcosmostable1/overview
Then the Cosmos resource ID is:
/subscriptions/8333367e-1234-467d-b3fc-5b78c5721df0/resourceGroups/rg1/providers/Microsoft.DocumentDb/databaseAccounts/ibmcosmostable1
After you create your account and have the necessary information, you can define the cloud DB service accounts that you need.
Tips and Tricks
- Before you start, create standard naming conventions to prevent later confusion. Consider
including the name of the Event Hub and the name of the database that you are monitoring for each
related element. For example, if the database name is
use1-db5
, use the following naming conventions:- Namespace:
use1-ehn1
- Shared Access:
use1-ehn1-sa1
- Event Hub:
use1-db5-ehn1-eh3
- Consumer Group:
use1-db5-ehn1-eh3-cg
- Namespace:
- From the Guardium collector, make sure that outbound ports 443, 5671, and 5672 are available for the connections between the collector and Azure Event Hub.
- When you create a namespace, consider selecting Enable Auto-Inflate.
- Cosmos databases do not use usernames. Therefore, usernames are never returned from Cosmos.
If you are connecting to data sources for the first time, Guardium Insights guides you through your first connections as part of the getting started experience. To add more data sources (or work with data sources that are already defined), click Connections in the Settings menu ().
Procedure
What to do next
After you add a data source, it is scanned almost immediately. You can use these actions to work with connections:
- To delete a connection, select its checkbox, and click Remove in the banner that opens. You can select multiple connections and remove them with this button.
- To edit a connection, select its Connection name link in the table. This opens a panel that allows you to Enable or Disable the connection. In addition, you can see the status of the connection and edit its configurations.
- To export a CSV list of the connections in the table, click Export CSV. This will export a list of only the connections that are currently in the table - it will not include any that have been filtered out.
- To refresh the list of connections, click Refresh.
When viewing the list of Amazon Web Services and Azure connections, you can click on the account entry in the Account column. This opens a panel that allows you to modify the account settings. You can also use this panel to delete the account. If you delete the account, all streams that have been added for the account are also deleted.