We are encountering an error when attempting to create multiple data feeds in Google SecOps SIEM from a single Azure Event Hub.
The error message "Combination is not unique" suggests that the system is not allowing multiple feeds with the same configuration details.
We have configured an Event Hub with multiple log sources (Azure Activity, Defender logs)
Questions:
[1] whether we need to create separate Event Hubs for each data feed or if there's a way to differentiate the data streams within the same Event Hub for ingestion into SecOps SIEM, referencing the documentation on https://cloud.google.com.mcas.ms/chronicle/docs/administration/create-azure-feed
https://cloud.google.com/chronicle/docs/administration/create-azure-feed#create-azure-event-hub
Based on our understanding, we should be able to use the same Azure Event Hub to ingest different data feeds into Google SecOps. This is achieved by utilizing **consumer groups** to manage separate data streams; each consumer group functions as an independent "view" of the event stream, ensuring every application receives its own copy of all events.
https://www.serverlessnotes.com/docs/azure-event-hubs-use-consumer-groups-to-support-multiple-subscribers#:~:text=When%20an%20Azure%20Event%20Hub,group%20from%20the%20Azure%20Portal.
Question
encountering an error when attempting to create multiple data feeds in Google SecOps SIEM from a single Azure Event Hub.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
