During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
Table of Contents
Introduction
Azure Security Center (ASC) is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. ASC periodically analyzes the security state of your resources whether they are deployed on Azure or on-premises to identify potential security vulnerabilities. It then provides you with security recommendations on how to remediate them which helps you to strengthen your Cloud Security Posture Management (CSPM).
Security Center also plays a vital role in the Cloud Workload Protection Platform (CWPP) to protect you against emerging threats and generate security alerts for resources deployed on Azure, as well as for resources deployed on-premises and hybrid cloud environments. Security alerts are triggered by advanced detection and behavioral analytics which are available only in the Standard Tier of Azure Security Center.
Continuous export is a new feature in Azure Security Center that went GA on March 30th, 2020 which can be used to configure the streaming export setting of security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace). Here are a few examples of workflows you can create around these new capabilities:
> With Continuous Export to Log Analytics workspace, you can create custom dashboards with PowerBI.
> With Continuous Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd-party Security Information and Event Management (SIEM) system, to a 3rd-party solution in real-time, or Azure Data Explorer.
Scenario
Suppose you have a policy in your organization that dictates to automatically forward all security alerts and recommendations to third-party Security Information and Event Management (SIEM) solutions such as Splunk, IBM QRadar, and ArcSight. For this scenario, you can leverage Azure Event Hubs to stream and export Azure Security Center alerts and recommendations to your SIEM system as described in this article.
Now you have a large number of Azure subscriptions that you want to onboard with continuous export whether to Event Hub or to Log Analytics workspace. Azure Policy to the rescue!
Last week, I blogged about how to export Azure Security Center alerts and recommendations to Azure Event Hubs for one subscription. In today’s article, I will show you how to automate and enable continuous export to Event Hub, as well as to the Log Analytics workspace if you want to onboard multiple subscriptions.
Prerequisites
To follow this article, you need to have the following:
- Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
- Azure Security Center Free tier or Standard tier enabled. Please note that the standard tier is required to leverage security alerts.
- An Event Hub namespace and an event hub in your Azure subscription. Learn how to create an event hub.
- Please note that you need to have at least one event hub namespace in any of your Azure subscription(s) to be used as a target export subscription.
- Log Analytics Workspace – To create a new workspace, follow the instructions on how to create a Log Analytics workspace.
- Please note that you need to have at least one Log Analytics workspace in any of your Azure subscription(s) to be used as a target export subscription.
Please note that integrating third-party (SIEM) solutions with Azure Security Center is out of the scope of this article.
Automate continuous export to Event Hub
Microsoft just released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to Event Hub on your subscription. This Azure Policy definition will ensure that during the creation of a new Azure subscription(s), and export to event hub configuration with your conditions and target event hub will be configured for this subscription.
This Azure Policy will enable export to event hub configuration for existing Azure subscription(s) as well. So instead of going to an individual subscription in Security Center and enable continuous export, this custom policy will check and configure your subscription(s) with a single remediation task.
To enable and automate continuous export to Event Hub, click on the “Deploy to Azure” button and follow the steps as shown in the video below.
Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.
The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.
Automate continuous export to Log Analytics
Microsoft also released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to the Log Analytics workspace on your subscription. This Azure Policy definition will ensure that during the creation of new Azure subscription(s), and export to Log Analytics workspace with your conditions and target workspace will be configured for this subscription.
To enable and automate continuous export to the Log Analytics workspace, click on the “Deploy to Azure” button and follow the steps as shown in the video below. The onboarding experience is exactly the same as for Event Hub but with different input parameters.
Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.
The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.
Summary
Continuous export is a great feature in Azure Security Center that can be used to configure and stream export data of Security alerts and recommendations to Azure Event Hub and Log Analytics workspace to be immediately notified and take necessary actions. Continuous export in Azure Security Center can also be integrated with a 3rd-party (SIEM) system, Microsoft cloud-native (SIEM) Azure Sentinel, and Azure Data Explorer.
In this article, you learned how to automate and enable continuous exports of your security recommendations and alerts in the Security Center to Azure Event Hub, as well as to the Log Analytics workspace.
There’s more…
Additional resources I highly encourage you to check:
- Workflow automation in Azure Security Center to automate your security operations.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Azure Security Center, check the official documentation from Microsoft.
- Learn more about Continuous export, check the following documentation from Microsoft.
- Learn more about Azure Policy, check the official documentation from Microsoft.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Hi, can I check on this topic, one of the policies is to configure the continuous export to the LAW within the same subscription? What if I have a centralized LAW that is located in a separate subscription and I want all other subscriptions to continuous export to this specific centralized LAW?
Regards,
Chris Cheng
Hello Chris, thanks for the comment!
Yes, this scenario is completely doable. You could send continuous export for every subscription in Microsoft Defender for Cloud to a centralized LAW that is located in a dedicated subscription.
It works without any issue.
Hope it helps!
Hi,
We have Configured manually continuous export from the Defender to Log Analytics at the subscription level.
Microsoft Defender for Cloud -> Environment settings ->Select Subscription -> Continuos Export -> Select log analytics tab -> Just checked “security recommendations”, and “security alerts” and provided target resource group, subscription and workspace.
Now we want to automate (using DevOps) the above process via ARM Template if possible.
But as per this https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal, we can configure only with REST API.
So using REST API, how to configure just “Security recommendations” and “Security alerts” with high priority and export to log analytics is not clear.
Do you have any idea how to achieve this?
Hello Kumar, thanks for the comment!
Yes, you could automate and configure just “Security recommendations” and “Security alerts” with high priority and export to log analytics using ARM Templates.
Please see the following built-in policy for Continuous export to the Log Analytics workspace in the Azure portal.
Then you could export the ARM template and use it in Azure DevOps.
Here is a screenshot of the ARM template parameters for your reference:
Hope it helps!