SOLVED

Send Event to Events Hub

%3CLINGO-SUB%20id%3D%22lingo-sub-583300%22%20slang%3D%22en-US%22%3ESend%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583300%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20Azure%20ATP%20allow%20you%20to%20send%20events%20to%20Events%20Hub%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fevent-hubs%2Fevent-hubs-about%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fevent-hubs%2Fevent-hubs-about%3C%2FA%3E)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20very%20familiar%20with%20Events%20Hub%2C%20but%20know%20we%20are%20collecting%20events%20from%20there%2C%20so%20if%20we%20start%20sending%20Azure%20ATP%20data%20there%2C%20we%20can%20just%20scoop%20it%20right%20up%20with%20minimal%20change%20in%20processes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-618999%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-618999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344092%22%20target%3D%22_blank%22%3E%40archedmeerkat%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90352%22%20target%3D%22_blank%22%3E%40Enrique%20Saggese%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-627545%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-627545%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344092%22%20target%3D%22_blank%22%3E%40archedmeerkat%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3ENo%20you%20can%20send%20events%20to%20event%20hub%20then%20to%20Azure%20ATP.%26nbsp%3B%20AATP%20collects%20its%20data%20from%20the%20sensor.%26nbsp%3B%20You%20have%20to%20install%20the%20sensor%20on%20your%20domain%20controllers%20in%20Active%20Directory.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-633184%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-633184%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20understand%20we%20need%20the%20sensors%20to%20get%20the%20data%20into%20AATP%2C%20I%20was%20referring%20to%20Suspicious%20Activity%20and%20Health%20alerts%20being%20sent%20to%20Events%20Hub%2C%20rather%20than%20using%20a%20sensor%20to%20syslog%20the%20events%20to%20our%20SIEM.%20Just%20seems%20like%20a%20little%20cleaner%20solution%20for%20our%20environment%2C%20if%20available.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-633186%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-633186%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344092%22%20target%3D%22_blank%22%3E%40archedmeerkat%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20alerts%20outbound%2C%20today%20we%20support%20the%20syslog%20model%20only.%26nbsp%3B%20We%20have%20a%20public%20preview%20coming%20soon%20that%20will%20move%20AATP%20to%20a%20new%20portal.%26nbsp%3B%20When%20moving%20to%20that%20portal%2C%20the%20event%20hubs%20model%20will%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1057670%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1057670%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BHello%2C%20I'm%20also%20looking%20at%20configuration%20options%20to%20forward%20ATP%20alerts%20to%20EventHub.%26nbsp%3B%20Is%20the%20%22%3CSPAN%3EATP%20to%20a%20new%20portal.%22%20online%20now%3F%26nbsp%3B%20If%20there%20are%20any%20documentation%20links%20you%20can%20provide%20that%20would%20be%20great.%26nbsp%3B%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1058080%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethere%20is%20no%20way%20to%20send%20Azure%20ATP%20alerts%20to%20event%20hubs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1058442%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20Event%20to%20Events%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058442%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20thought%20I%20read%20there%20is%20a%20way%20to%20get%20ATP%20events%20to%20Eventhub%2C%20maybe%20via%20Azure%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Does Azure ATP allow you to send events to Events Hub (https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about)?

 

I'm not very familiar with Events Hub, but know we are collecting events from there, so if we start sending Azure ATP data there, we can just scoop it right up with minimal change in processes.

7 Replies
Highlighted

@archedmeerkat 

 

@Enrique Saggese: Is this something you can speak to? 

Highlighted

@archedmeerkat 

Hi

No you can send events to event hub then to Azure ATP.  AATP collects its data from the sensor.  You have to install the sensor on your domain controllers in Active Directory.

Highlighted

 

 

I understand we need the sensors to get the data into AATP, I was referring to Suspicious Activity and Health alerts being sent to Events Hub, rather than using a sensor to syslog the events to our SIEM. Just seems like a little cleaner solution for our environment, if available.

Highlighted
Best Response confirmed by archedmeerkat (Occasional Contributor)
Solution

@archedmeerkat 

For alerts outbound, today we support the syslog model only.  We have a public preview coming soon that will move AATP to a new portal.  When moving to that portal, the event hubs model will work.

Highlighted

@Nicholas DiCola (SECURITY JEDI)   Hello, I'm also looking at configuration options to forward ATP alerts to EventHub.  Is the "ATP to a new portal." online now?  If there are any documentation links you can provide that would be great.   

Thanks!

@Bryan Bishop 

there is no way to send Azure ATP alerts to event hubs.

Highlighted

@Nicholas DiCola (SECURITY JEDI) Thanks for the reply.

I thought I read there is a way to get ATP events to Eventhub, maybe via Azure Sentinel?