MicrosoftDocs
diff --git a/‎.openpublishing.redirection.key-vault.json‎
Lines changed: 588 additions & 568 deletions b/‎.openpublishing.redirection.key-vault.json‎
Lines changed: 588 additions & 568 deletions
diff --git a/‎articles/cloud-hsm/secure-cloud-hsm.md‎
Lines changed: 3 additions & 1 deletion b/‎articles/cloud-hsm/secure-cloud-hsm.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/cloud-hsm/toc.yml‎
Lines changed: 2 additions & 0 deletions b/‎articles/cloud-hsm/toc.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/cloud-hsm/troubleshoot.md‎
Lines changed: 4 additions & 4 deletions b/‎articles/cloud-hsm/troubleshoot.md‎
Lines changed: 4 additions & 4 deletions
@@ -4,7 +4,7 @@ description: Learn best practices for securing Azure Cloud HSM to help protect c
 author: msmbaldwin
 ms.service: azure-cloud-hsm
 ms.topic: conceptual
-ms.date: 03/31/2026
+ms.date: 04/08/2026
 ai-usage: ai-assisted
 ms.custom: horz-security
 ms.author: mbaldwin
@@ -88,6 +88,8 @@ Proper handling of key storage limits, key wrapping security, key attributes, an
 
 - **Configure operation event logging**: Operation event logging is vital for HSM security. It provides an immutable record of access and operations for accountability, traceability, and regulatory compliance. It helps detect unauthorized access, investigate incidents, and identify anomalies, to help ensure the integrity and confidentiality of cryptographic operations. To maintain security and privacy, logs exclude sensitive data (such as key IDs, key names, and user details). They capture HSM operations, timestamps, and metadata, but they can't determine success or failure because the HSM operation occurs within the inner TLS channel. See [Tutorial: Operation event logging in Azure Cloud HSM](tutorial-operation-event-logging.md).
 
+- **Stream logs to Event Hub for real-time processing**: For real-time log processing and integration with downstream SIEM systems or custom analytics pipelines, configure Event Hub as an additional destination for your diagnostic settings. See [Tutorial: Configure Event Hub for Azure Cloud HSM](tutorial-configure-event-hub.md).
+
 ## Backup and recovery
 
 Azure Cloud HSM provides high availability through clustered HSMs that synchronize keys and policies while automatically migrating workloads during failures.
 
@@ -15,6 +15,8 @@ items:
     items:
       - name: Operation event logging
         href: tutorial-operation-event-logging.md
+      - name: Configure Event Hub for logging
+        href: tutorial-configure-event-hub.md
       - name: Backup and restore
         href: backup-restore.md
       - name: Certificate storage
 
@@ -5,7 +5,7 @@ author: keithp
 manager: davinune
 ms.service: azure-cloud-hsm
 ms.topic: troubleshooting-general
-ms.date: 03/26/2026
+ms.date: 04/08/2026
 ms.author: keithp
 ---
 
@@ -406,15 +406,15 @@ ED25519 keys are typically used for self-signed certificates or in certificate s
 
 ### Can I use azcloudhsm_util to generate RSA and EC keys before using the Azure Cloud HSM OpenSSL engine to generate a CSR?
 
-Yes. You can run the following `azcloudhsm_util` commands to create an RSA or EC key and then extract the private key to a fake PEM format. Replace `{PRIVATE_KEY_HANDLE}` with the private key handle of the RSA or EC key that you created.
+Yes. You can run the following `azcloudhsm_util` commands to create an RSA or EC key and then extract the private key to a fake PEM format. Replace `<private-key-handle>` with the private key handle of the RSA or EC key that you created.
 
 The private key metadata file in PEM format doesn't contain any sensitive private key materials. The metadata identifies the private key, and only the OpenSSL engine for Azure Cloud HSM understands this file.
 
 Use this command to create an RSA key:
 
 ```bash
 ./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 genRSAKeyPair -m 2048 -e 65537 -l labelRSATest 
-./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 getCaviumPrivKey -k {PRIVATE_KEY_HANDLE} -out web_server_fake_PEM.key 
+./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 getCaviumPrivKey -k <private-key-handle> -out web_server_fake_PEM.key 
 openssl req -new -key web_server_fake_PEM.key -out web_server.csr -engine azcloudhsm_openssl 
 openssl x509 -req -days 365 -in web_server.csr -signkey web_server_fake_PEM.key -out web_server.crt -engine azcloudhsm_openssl 
 ```
@@ -423,7 +423,7 @@ Use this command to create an EC key:
 
 ```bash
 ./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 genECCKeyPair -i 2 -l labelECTest 
-./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 getCaviumPrivKey -k {PRIVATE_KEY_HANDLE} -out web_server_fake_PEM.key 
+./azcloudhsm_util singlecmd loginHSM -u CU -p user1234 -s cu1 getCaviumPrivKey -k <private-key-handle> -out web_server_fake_PEM.key 
 openssl req -new -key web_server_fake_PEM.key -out web_server.csr -engine azcloudhsm_openssl 
 openssl x509 -req -days 365 -in web_server.csr -signkey web_server_fake_PEM.key -out web_server.crt -engine azcloudhsm_openssl 
 ```