You dont have javascript enabled! Please enable it!

Automate Continuous Export for Azure Security Center with Azure Policy

5 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Introduction

Azure Security Center (ASC) is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. ASC periodically analyzes the security state of your resources whether they are deployed on Azure or on-premises to identify potential security vulnerabilities. It then provides you with security recommendations on how to remediate them which helps you to strengthen your Cloud Security Posture Management (CSPM).

Security Center also plays a vital role in the Cloud Workload Protection Platform (CWPP) to protect you against emerging threats and generate security alerts for resources deployed on Azure, as well as for resources deployed on-premises and hybrid cloud environments. Security alerts are triggered by advanced detection and behavioral analytics which are available only in the Standard Tier of Azure Security Center.

Continuous export is a new feature in Azure Security Center that went GA on March 30th, 2020 which can be used to configure the streaming export setting of security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace). Here are a few examples of workflows you can create around these new capabilities:

> With Continuous Export to Log Analytics workspace, you can create custom dashboards with PowerBI.

> With Continuous Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd-party Security Information and Event Management (SIEM) system, to a 3rd-party solution in real-time, or Azure Data Explorer.

Scenario

Suppose you have a policy in your organization that dictates to automatically forward all security alerts and recommendations to third-party Security Information and Event Management (SIEM) solutions such as Splunk, IBM QRadar, and ArcSight. For this scenario, you can leverage Azure Event Hubs to stream and export Azure Security Center alerts and recommendations to your SIEM system as described in this article.

Now you have a large number of Azure subscriptions that you want to onboard with continuous export whether to Event Hub or to Log Analytics workspace. Azure Policy to the rescue!

Last week, I blogged about how to export Azure Security Center alerts and recommendations to Azure Event Hubs for one subscription. In today’s article, I will show you how to automate and enable continuous export to Event Hub, as well as to the Log Analytics workspace if you want to onboard multiple subscriptions.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center Free tier or Standard tier enabled. Please note that the standard tier is required to leverage security alerts.
  3. An Event Hub namespace and an event hub in your Azure subscription. Learn how to create an event hub.
    • Please note that you need to have at least one event hub namespace in any of your Azure subscription(s) to be used as a target export subscription.
  4. Log Analytics Workspace – To create a new workspace, follow the instructions on how to create a Log Analytics workspace.
    • Please note that you need to have at least one Log Analytics workspace in any of your Azure subscription(s) to be used as a target export subscription.

Please note that integrating third-party (SIEM) solutions with Azure Security Center is out of the scope of this article.

Automate continuous export to Event Hub

Microsoft just released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to Event Hub on your subscription. This Azure Policy definition will ensure that during the creation of a new Azure subscription(s), and export to event hub configuration with your conditions and target event hub will be configured for this subscription.

This Azure Policy will enable export to event hub configuration for existing Azure subscription(s) as well. So instead of going to an individual subscription in Security Center and enable continuous export, this custom policy will check and configure your subscription(s) with a single remediation task.

To enable and automate continuous export to Event Hub, click on the “Deploy to Azure” button and follow the steps as shown in the video below.

Deploy To Azure

Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.

Automate Continuous Export for Azure Security Center with Azure Policy 2

The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.

Automate continuous export to Log Analytics

Microsoft also released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to the Log Analytics workspace on your subscription. This Azure Policy definition will ensure that during the creation of new Azure subscription(s), and export to Log Analytics workspace with your conditions and target workspace will be configured for this subscription.

To enable and automate continuous export to the Log Analytics workspace, click on the “Deploy to Azure” button and follow the steps as shown in the video below. The onboarding experience is exactly the same as for Event Hub but with different input parameters.

Deploy To Azure

Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.

Automate Continuous Export for Azure Security Center with Azure Policy 3

The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.

Summary

Continuous export is a great feature in Azure Security Center that can be used to configure and stream export data of Security alerts and recommendations to Azure Event Hub and Log Analytics workspace to be immediately notified and take necessary actions. Continuous export in Azure Security Center can also be integrated with a 3rd-party (SIEM) system, Microsoft cloud-native (SIEM) Azure Sentinel, and Azure Data Explorer.

In this article, you learned how to automate and enable continuous exports of your security recommendations and alerts in the Security Center to Azure Event Hub, as well as to the Log Analytics workspace.

There’s more…

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.
Previous

Update Rollup 9 for System Center 2016 is Now Available #SystemCenter #SysCtr

How To Deploy an Azure VM From Windows Admin Center

Next

4 thoughts on “Automate Continuous Export for Azure Security Center with Azure Policy”

Leave a comment...

  1. Hi, can I check on this topic, one of the policies is to configure the continuous export to the LAW within the same subscription? What if I have a centralized LAW that is located in a separate subscription and I want all other subscriptions to continuous export to this specific centralized LAW?

    Regards,
    Chris Cheng

  2. Hello Chris, thanks for the comment!
    Yes, this scenario is completely doable. You could send continuous export for every subscription in Microsoft Defender for Cloud to a centralized LAW that is located in a dedicated subscription.
    It works without any issue.
    Hope it helps!

  3. Hi,
    We have Configured manually continuous export from the Defender to Log Analytics at the subscription level.
    Microsoft Defender for Cloud -> Environment settings ->Select Subscription -> Continuos Export -> Select log analytics tab -> Just checked “security recommendations”, and “security alerts” and provided target resource group, subscription and workspace.
    Now we want to automate (using DevOps) the above process via ARM Template if possible.
    But as per this https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal, we can configure only with REST API.
    So using REST API, how to configure just “Security recommendations” and “Security alerts” with high priority and export to log analytics is not clear.
    Do you have any idea how to achieve this?

  4. Hello Kumar, thanks for the comment!
    Yes, you could automate and configure just “Security recommendations” and “Security alerts” with high priority and export to log analytics using ARM Templates.
    Please see the following built-in policy for Continuous export to the Log Analytics workspace in the Azure portal.
    Then you could export the ARM template and use it in Azure DevOps.
    Here is a screenshot of the ARM template parameters for your reference:
    Deploy export to Log Analytics workspace for Microsoft Defender for Cloud
    Hope it helps!

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!