Trying not to re-invent then wheel. Does any one have and Rules or Reports that they configured for the Azure Event Hub Messages in the Fortisiem. I have inlcude some basic Reports  below

<?xml version="1.0" encoding="UTF-8"?><Reports><Report baseline="" id="PH_SYS_Report_1634317222412" rsSync=""><Name>AzureApplicatioGatewawayAccessEvents</Name><Description>AzureApplicatioGatewawayAccessEvents</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2230048008" name="">
<SingleEvtConstr>azureEventCategory = "ApplicationGatewayAccessLog"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>phRecvTime,deviceTime,reptDevIpAddr,azureEventCategory,opName,resourceName,instanceName,hostName,srcIpAddr,httpMethod,uriQuery,httpVersion,httpResponseTimeMs,httpUserAgent,usrMsg,rawEventMsg</AttrList>
</SelectClause><OrderByClause>
<AttrList>deviceTime DESC</AttrList>
</OrderByClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673802463</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report><Report baseline="" id="PH_SYS_Report_1673036889772" rsSync=""><Name>AzureEventHubMsg</Name><Description>AzureEventHubMsg</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2765997936" name="">
<SingleEvtConstr>eventType CONTAIN "MS_EvtHub_"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>phRecvTime,reptDevIpAddr,eventType,eventName,rawEventMsg</AttrList>
</SelectClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673885263</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report><Report baseline="" id="PH_SYS_Report_1634312436485" rsSync=""><Name>AzureFirewallApplicationRuleEvents</Name><Description>AzureFirewallApplicationRuleEvents</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2230048006" name="">
<SingleEvtConstr>azureEventCategory = "AzureFirewallApplicationRule"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>phRecvTime,deviceTime,reptDevIpAddr,azureEventCategory,opName,resourceName,usrMsg,rawEventMsg</AttrList>
</SelectClause><OrderByClause>
<AttrList>deviceTime DESC</AttrList>
</OrderByClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673888263</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report><Report baseline="" id="PH_SYS_Report_1634312163013" rsSync=""><Name>AzureFirewallDnsProxyEvents</Name><Description>AzureFirewallDnsProxyEvents</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2230048005" name="">
<SingleEvtConstr>azureEventCategory = "AzureFirewallDnsProxy"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>deviceTime,azureEventCategory,relayDevIpAddr,usrMsg,resourceName,rawEventMsg</AttrList>
</SelectClause><OrderByClause>
<AttrList>deviceTime DESC</AttrList>
</OrderByClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673802463</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report><Report baseline="" id="PH_SYS_Report_1634315118240" rsSync=""><Name>AzureFirewallNetworkEvents</Name><Description>AzureFirewallNetworkEvents</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2230048004" name="">
<SingleEvtConstr>azureEventCategory = "AzureFirewallNetworkRule"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>phRecvTime,deviceTime,reptDevIpAddr,azureEventCategory,opName,resourceName,usrMsg,rawEventMsg</AttrList>
</SelectClause><OrderByClause>
<AttrList>deviceTime DESC</AttrList>
</OrderByClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673888263</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report><Report baseline="" id="PH_SYS_Report_1634315571939" rsSync=""><Name>AzureFrontdoorWebApplicationFWEvents</Name><Description>AzureFrontdoorWebApplicationFWEvents</Description><CustomerScope groupByEachCustomer="false">
<Include all="true">1</Include>
<Exclude/>
</CustomerScope><PatternClause>
<SubPattern id="2230048003" name="">
<SingleEvtConstr>azureEventCategory = "FrontdoorWebApplicationFirewallLog"</SingleEvtConstr>
</SubPattern>
</PatternClause><SelectClause>
<AttrList>phRecvTime,deviceTime,reptDevIpAddr,azureEventCategory,opName,action,categoryType,connMode,ruleName,policyName,uriQuery,srcIpAddr,srcIpPort,usrMsg,resourceName,rawEventMsg</AttrList>
</SelectClause><OrderByClause>
<AttrList>deviceTime DESC</AttrList>
</OrderByClause><userRoles>
<roles custId="0">1531150</roles>
</userRoles><SyncOrgs/><ReportInterval>
<Low>1673802463</Low>
<High>1673888862</High>
</ReportInterval><TrendInterval>auto</TrendInterval><TimeZone/></Report></Reports>