Merge pull request #89031 from spelluru/ehubsiem0918

Supportability issue - SIEM tool

Author: PRMerger12

articles/event-hubs/event-hubs-metrics-azure-monitor.md

@@ -14,7 +14,7 @@ ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: na
 ms.custom: seodec18
-ms.date: 12/06/2018
+ms.date: 09/18/2019
 ms.author: shvija
 
 ---
@@ -30,6 +30,7 @@ Azure Monitor provides multiple ways to access metrics. You can either access me
 
 Metrics are enabled by default, and you can access the most recent 30 days of data. If you need to retain data for a longer period of time, you can archive metrics data to an Azure Storage account. This is configured in [diagnostic settings](../azure-monitor/platform/diagnostic-settings.md) in Azure Monitor.
 
+
 ## Access metrics in the portal
 
 You can monitor metrics over time in the [Azure portal](https://portal.azure.com). The following example shows how to view successful requests and incoming requests at the account level:
@@ -106,6 +107,17 @@ Azure Event Hubs supports the following dimensions for metrics in Azure Monitor.
 | ------------------- | ----------------- |
 |EntityName| Event Hubs supports the event hub entities under the namespace.|
 
+## Azure Monitor integration with SIEM tools
+Routing your monitoring data to an event hub with Azure Monitor enables you to easily integrate with partner Security information and event management (SIEM) and monitoring tools. For more information, see the following articles/blog posts:
+
+- [Stream Azure monitoring data to an event hub for consumption by an external tool](../azure-monitor/platform/stream-monitoring-data-event-hubs.md)
+- [Introduction to Azure Log Integration](../security/fundamentals/azure-log-integration-overview.md)
+- [Use Azure Monitor to integrate with SIEM tools](https://azure.microsoft.com/en-us/blog/use-azure-monitor-to-integrate-with-siem-tools/)
+
+When you run into monitoring issues that are related to Event Hubs metrics and an external (SIEM) tool consumes data from your event hub, follow these steps to identify the right approach to get help: 
+
+In the metrics graph on the Event Hubs Namespace page in the Azure portal, If there are **no incoming messages**, it means that Azure Monitor is not moving the audit/diagnostics logs into the event hub. If you need help from the support team, open a support ticket with the **Azure Monitor team**. If there are **incoming messages, but no outgoing messages**, it means that the SIEM  application is not reading the messages. Contact the **SIEM provider** to determine whether the configuration of the event hub is correct.
+
 ## Next steps
 
 * See the [Azure Monitoring overview](../monitoring-and-diagnostics/monitoring-overview.md).