MENU
      Contents x
      Azure Event Hub
      • 06 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Contents

      Azure Event Hub

      • Updated on 06 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Article summary

      Overview

      This Adapter allows you to connect to an Azure Event Hub to fetch structured data stored there.

      Azure Event Hubs are fully managed, real-time data ingestion services that allow for event streaming from various Microsoft Azure services. LimaCharlie can ingest either structured known data (such as JSON or XML) or known Microsoft data types, including:

      • Azure Monitor (Platform: azure_monitor)

      • Entra ID [formerly Azure AD] (Platform: azure_ad)

      • Microsoft Defender (Platform: msdefender)

      Documentation for creating an event hub can be found here here.

      Deployment Configurations

      All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

      • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
      • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
      • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
      • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

      Adapter-specific Options

      • If using a binary Adapter, azure_event_hub will be the ingestion type.

      • connection_string - The connection string provided in Azure for connecting to the Azure Event Hub, including the EntityPath=... at the end which identifies the Hub Name (this component is sometimes now shown in the connection string provided by Azure).

      Guided Deployment

      Azure Event Hub data can be pulled via either a cloud or binary Adapter.

      Cloud-to-Cloud

      LimaCharlie offers several helpers within the webapp that allow you to ingest Microsoft data, such as Entra ID or Microsoft Defender, from Azure Event Hubs.

      CLI Deployment

      The following example configures a binary Adapter to collect Microsoft Defender data from an Azure Event Hub:

      ./lc_adapter azure_event_hub client_options.identity.installation_key=<INSTALLATION_KEY> \
client_options.identity.oid=<OID> \
client_options.platform=msdefender \
client_options.sensor_seed_key=<SENSOR_SEED_KEY> \
client_options.hostname=<HOSTNAME> \
"connection_string=Endpoint=sb://mynamespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=fnaaaaaaaaaaaaaaak0g54alYbbbbbbbbbbbbbbbALQ=;EntityPath=lc-stream"
      Bash

      Infrastructure as Code Deployment

      # Azure Event Hub Specific Docs: https://docs.limacharlie.io/docs/adapter-types-azure-event-hub

azure_event_hub:
  # (required) The connection string provided in Azure for connecting to the Azure Event Hub.
  # It must include EntityPath (the Event Hub name), e.g.,
  # Endpoint=sb://your-namespace.servicebus.windows.net/;SharedAccessKeyName=YourKeyName;SharedAccessKey=YourKeyValue;EntityPath=your-eventhub-name
  connection_string: "Endpoint=sb://your-eventhub-namespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=YOUR_EVENT_HUB_SHARED_ACCESS_KEY_HERE;EntityPath=your-actual-event-hub-name"
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_AZUREEH" # (required) Installation key associated with the OID.
    # Option 1: Static hostname for this sensor
    hostname: "azure-eventhub-adapter-prod-01.example.com" # (required if not using sensor_hostname_path) A unique, static hostname for this sensor instance.
    # Option 2: Dynamic hostname (see client_options.mapping.sensor_hostname_path below)
    platform: "saas_api_azure_event_hub" # (required) Indicates the source is Azure Event Hub.
    architecture: null # (optional) Not typically applicable for SaaS API integrations.
    mapping:
      # Event Hub messages can be any format (JSON, string, Avro, etc.).
      # If messages are JSON strings within the EventData body, they might need parsing using a transform.
      # If messages are already well-structured JSON objects, parsing_re is null.
      parsing_re: null
      # (optional) Path to uniquely ID the original event. This could be from EventData properties or within the event body.
      sensor_key_path: "systemProperties.message-id" # Example using a system property if available and unique.
      # (optional) If client_options.hostname is NOT set, use this to dynamically extract hostname from event (less common for Event Hub).
      sensor_hostname_path: null
      # (optional) Example: "AZURE_EH_SECURITY_LOGS", "AZURE_EH_APPLICATION_METRICS" based on custom properties or body content.
      event_type_path: "AZURE_EH_{{ .properties.sourceApplication | token | upper | default \"GENERIC\" }}_{{ .properties.customEventType | token | upper }}" # Assuming custom properties 'sourceApplication' and 'customEventType'.
      # (optional) JSON path to the field representing the event's occurrence time. Event Hub's 'enqueuedTimeUtc' is a system property.
      event_time_path: "systemProperties.x-opt-enqueued-time" # Or a timestamp within the message body.
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "properties.correlationId" # If a correlation ID is set as a custom property.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+data_source_platform": "AzureEventHub"
        "+event_hub_partition_key": "{{ .systemProperties.x-opt-partition-key }}"
        # Example: If the body is a JSON string, attempt to parse it into a structured field.
        # Note: 'try_json' is a hypothetical function; actual function may vary or require more steps.
        "+event_payload": "{{ .body | try_json }}"
        "-systemProperties.x-opt-sequence-number": null # Remove if sequence number isn't needed for telemetry.
      # (optional) A list of field paths to drop from the event.
      drop_fields:
      - "systemProperties.x-opt-offset"
      - "properties.internalRoutingHint"
      sid_replication_path: null # (optional) Not typically relevant for generic Event Hub messages.
    # mappings: null # Deprecated or less common for field manipulation than client_options.mapping.transform
    indexing:
      enabled: true
      # Example: index by a custom property like source application, if available
      default_index: "azure-eh-{{ .properties.sourceApplication | lower | default \"data\" }}-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) The adapter receives raw bytes; message body itself could be compressed, requiring transform logic if not automatically handled.
    sensor_seed_key: "SEED_KEY_AZUREEH_ADAPTER_001" # (required) A unique key for this sensor to register with LimaCharlie.
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      Was this article helpful?
      Related articles
      What's Next