How To Integrate Azure Security Center With Azure Monitor Alerts

9 min read

Updated: Azure Security Center – Continuous Export is now GA!

Introduction

Azure Security Center (ASC) is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. ASC periodically analyzing the security state of your resources whether they are deployed on Azure or on-premises to identify potential security vulnerabilities. It then provides you with security recommendations on how to remediate them.

Security Center also generates security alerts for resources deployed on Azure, and also for resources deployed on on-premises and hybrid cloud environments. Security alerts are triggered by advanced detections and behavioral analytics which are available only in the Standard Tier of Azure Security Center.

On the other hand, Azure Monitor maximizes the availability and performance of your resources and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Alerts in Azure Monitor proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues before the users of your system notice them. For more information about Azure Monitor, please check the official documentation from Microsoft.

Continuous export is a new feature in Azure Security Center in public (preview) in GA which can be used to configure the streaming export setting of Security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace). Here are a few examples of workflows you can create around these new capabilities:

  • With Continuous Export to Log Analytics workspace, you can create custom dashboards with PowerBI.
  • With Continuous Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd-party Security Information and Event Management (SIEM) system, to a 3rd-party solution in real-time, or Azure Data Explorer.

Microsoft recently announced Azure Security Center supports integration with Azure Monitor alerts in just a couple of clicks. In this article, I will show you how to integrate Azure Security Center with Azure Monitor by leveraging continuous export to export security alerts and recommendations, and then show you how to configure alert rules in Azure Monitor to trigger an action group (if provided).

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center Free tier or Standard tier enabled. Please note that the standard tier is required to leverage security alerts.
  3. Log Analytics Workspace – To create a new workspace, follow the instructions in Create a Log Analytics workspace.

Setting up continuous export to Azure Monitor

To set up continuous export from Azure Security Center to Azure Monitor, take the following steps:

  1. Open the Azure Portal and click on “Security Center” → “Pricing & settings”.
  2. Select the specific subscription for which you want to configure continuous data export.
  3. From the sidebar, select “Continuous export (Preview)”, and then select the “Log Analytics workspace” tab as shown in the screenshot below.
  4. Next, you need to enable Export by toggling the switch to “On” and then select which data type you want to export.
  5. Next, you need to choose what type of Security recommendations you want to export, as well as with their severity level (Low, Medium, or High). In this example, I will export all Security recommendations and select only High severity for recommendations and alerts as shown in the screenshot below.
  6. Next, you want to specify the “Export configuration” and “Export target“. Choose the desired resource group where this export configuration will reside, and then select the Subscription and the target Log Analytics workspace. The subscription is set by default based on the selection that we did in Step 2. As shown in the screenshot below, saving and export data to Log Analytics workspace incurs ingestion charges. Please refer to the pricing details here.
  7. Finally, click the “Save” button on the top of the Settings | Continuous export page.

As a side note, if you have Azure Sentinel Security alerts connector enabled for the current subscription and workspace. Then activating alerts export in Security Center may cause duplicate ingestion in this workspace. So please choose a different Log Analytics workspace.

Configure Azure Monitor alerts rules (default)

Now we are ready to create and configure alert rules in Azure Monitor, so we can get notified when a new security recommendation and alert triggered in Azure Security Center with the high severity level. Take now the following steps:

  1. Open the Azure Portal and click on “Security Center” → “Pricing & settings”.
  2. Select the specific subscription for which you want to configure Azure Monitor alerts rules.
  3. From the sidebar, select “Continuous export (Preview)”, and then select the “Log Analytics workspace” tab.
  4. You can skip the Export configuration and Export target section. The continuous export was configured in the previous section.
  5. Scroll to the end and then click on “Continue integration with Azure Monitor” as shown in the image below.
  6. In the Configure Azure Monitor alert rules page, select Create alert rules for exported recommendations, and then click “Create” to automatically enable recommendations alerts in Azure Monitor as shown in the image below.
  7. In the Configure Azure Monitor alert rules page, select Create alert rules for exported alerts, and then click “Create” to automatically enable security alerts in Azure Monitor as shown in the image below.
  8. Finally, click the “Save” button on the top of the Settings – Continuous export page.

Behind the scene, Azure Security Center will automatically create two default rules in Azure Monitor as shown in the image below.

  • [Azure Security Center] New Security Recommendation.
  • [Azure Security Center] New Security Alert.

If you click and open any of the default rules, you will notice that Actions Groups is not configured. I highly recommend to modify the default rule and set a trigger action group (more on this below).

View alerts in Azure Monitor

Once you activate the export to Log Analytics workspace, you will see a new solution created under General | Logs | Tables | “Security and Audit” for the standard tier or “SecurityCenterFree” if you are on the free tier as shown in the screenshot below:

If you expand the solution, you will see 2 tables containing the exported data from the Security Center continuous export.

  • SecurityAlert
  • SecurityRecommendation

To view Security alerts which are exported to Log Analytics workspace, within the same New Query 1 editor, type the following query and then click the Run button. You should see all security alerts that were performed and exported in the last 24 hours (which is the default time frame). If you want to trigger and simulate a security alert, please refer to the following article. The result should look similar to the image below in the case of Suspicious PowerShell Activity Detected.

SecurityAlert 
| where TimeGenerated > ago(24h) 
| limit 10

To view Security recommendations which are exported to Log Analytics workspace, within the same New Query 1 editor, type the following query and then click the Run button. You should see all security recommendations that were exported in the last 24 hours (which is the default time frame). The result should look similar to the image below in case of missing system updates.

SecurityRecommendation 
| where TimeGenerated > ago(24h) 
| limit 10

Configure Azure Monitor alerts rules (update)

As shown in the previous section “Configure Azure Monitor alerts rules (default)“, we have enabled and created two (default) alerts rules in Azure Monitor from Security Center. If you want to learn how to configure and update the alerts rules for Security Center in Azure Monitor and create an action group, then please continue with the remainder of this section.

To create alerts and recommendations from Security Center in Azure Monitor manually, you need to configure a new alert rule based on Log Analytics queries (Log Alert). Take the following steps:

  1. From the Azure Monitor – Overview page, select “Alerts” and then click + New alert rule as shown in the screenshot below.
  2. In the create rule page, you need to configure your new rule in the same way that you’d configure a log alert rule in Azure Monitor.
  3. For Resource, click “Edit” and then select the Log Analytics workspace to which you exported security alerts and recommendations as shown in the screenshot below. Click “Done” to continue.
  4. For Condition, click “Add” and then select Custom log search under the Signal name as shown in the screenshot below.
  5. In the “Configure signal logic” page that appears, scroll down a bit to configure the “Search query *“. In the “Search query *”, you can type SecurityAlert or SecurityRecommendation as described in the view alerts step to query the data types that Azure Security Center continuously exports to as you enable the Continuous export to Log Analytics feature. Please note that you cannot have both SecurityAlert and SecurityRecommendation in the same search query, you need to create a separate rule for each. In the “Alert logic” specify the “Threshold value” as 0 as shown in the screenshot below.
  6. Next, you need to specify the Period (in minutes) and the Frequency (in minutes) as shown in the screenshot below. The minimum is 5 minutes. When ready click “Done” to continue.
  7. This step is optional, you can configure an action group to send an email when a security alert is triggered. Under Actions Groups (optional) click “Add” to add a predefined action group. Action groups can trigger email sending, ITSM tickets, LogicApp, WebHooks, Azure Function, Automation Runbook and more. In this example, I will set an email as a trigger.
  8. Under the Alert Details, I will give the alert rule a descriptive name and then set its severity (Sev 3). Finally, click “Create alert rule” to create the rule.

Verify Azure Monitor alerts rules

After configuring the alerts rules, you’ll now see new Azure Security Center alerts and recommendations (depending on your configuration) in Azure Monitor alerts dashboard as shown in the image below.

And if you have specified an action group, you will automatically receive a security or recommendation alert based on the action group that you specified. In this example, I am using email notification. The email should look similar to the image below.

That’s it there you have it!

Summary

Continuous export is a great feature in Azure Security Center that can be used to configure and stream export data of Security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace) to be immediately notified and take necessary actions. Continuous export in Azure Security Center can also be integrated with a 3rd-party (SIEM) system, Microsoft cloud-native (SIEM) Azure Sentinel and Azure Data Explorer.

In this article, you learned how to configure continuous exports of your security recommendations and alerts. Then you learned how to integrate and configure Azure Monitor alert rules. As described in this article, you can also modify the default rule settings, or to trigger an action group, by click on “View in Azure Monitor” on the alert rule after it is created as shown in the image below.

I highly recommend checking Workflow automation in Azure Security Center to automate your security operations.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 559 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.