By testing with a major Azure client, we don't believe it is the right way to go.
First of all, it seems that ArcSight isolated the JAR files from the SmartConnector, to put it in an Azure Service Plan. So it is practically a SmartConnector running "natively" on Azure, that gets its input from an Azure EventHub. The output should of course go to a syslog-ng somewhere, so it makes sense.
The problem is that the setup is very complex and had much troubleshooting, just to get the "supported" logs from one Azure subscription.
I think the best way is to get your hands dirty and right with Python a script that is able to extract logs from either:
- Azure Graph API / Insights API
- Or send the Azure logs to Azure Log Analytics (OMS) and query the analytics API
Of course, you have to create the CEF format within the code you create.
It has difficulties of course, but you totally control the pipeline this way.