Automate Continuous Export for Azure Security Center with Azure Policy

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Introduction

Azure Security Center (ASC) is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. ASC periodically analyzes the security state of your resources whether they are deployed on Azure or on-premises to identify potential security vulnerabilities. It then provides you with security recommendations on how to remediate them which helps you to strengthen your Cloud Security Posture Management (CSPM).

Security Center also plays a vital role in the Cloud Workload Protection Platform (CWPP) to protect you against emerging threats and generate security alerts for resources deployed on Azure, as well as for resources deployed on-premises and hybrid cloud environments. Security alerts are triggered by advanced detection and behavioral analytics which are available only in the Standard Tier of Azure Security Center.

Continuous export is a new feature in Azure Security Center that went GA on March 30th, 2020 which can be used to configure the streaming export setting of security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace). Here are a few examples of workflows you can create around these new capabilities:

> With Continuous Export to Log Analytics workspace, you can create custom dashboards with PowerBI.

> With Continuous Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd-party Security Information and Event Management (SIEM) system, to a 3rd-party solution in real-time, or Azure Data Explorer.

Scenario

Suppose you have a policy in your organization that dictates to automatically forward all security alerts and recommendations to third-party Security Information and Event Management (SIEM) solutions such as Splunk, IBM QRadar, and ArcSight. For this scenario, you can leverage Azure Event Hubs to stream and export Azure Security Center alerts and recommendations to your SIEM system as described in this article.

Now you have a large number of Azure subscriptions that you want to onboard with continuous export whether to Event Hub or to Log Analytics workspace. Azure Policy to the rescue!

Last week, I blogged about how to export Azure Security Center alerts and recommendations to Azure Event Hubs for one subscription. In today’s article, I will show you how to automate and enable continuous export to Event Hub, as well as to the Log Analytics workspace if you want to onboard multiple subscriptions.

Prerequisites

To follow this article, you need to have the following:

1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2. Azure Security Center Free tier or Standard tier enabled. Please note that the standard tier is required to leverage security alerts.
3. An Event Hub namespace and an event hub in your Azure subscription. Learn how to create an event hub.
   • Please note that you need to have at least one event hub namespace in any of your Azure subscription(s) to be used as a target export subscription.
4. Log Analytics Workspace – To create a new workspace, follow the instructions on how to create a Log Analytics workspace.
   • Please note that you need to have at least one Log Analytics workspace in any of your Azure subscription(s) to be used as a target export subscription.

Please note that integrating third-party (SIEM) solutions with Azure Security Center is out of the scope of this article.

Automate continuous export to Event Hub

Microsoft just released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to Event Hub on your subscription. This Azure Policy definition will ensure that during the creation of a new Azure subscription(s), and export to event hub configuration with your conditions and target event hub will be configured for this subscription.

This Azure Policy will enable export to event hub configuration for existing Azure subscription(s) as well. So instead of going to an individual subscription in Security Center and enable continuous export, this custom policy will check and configure your subscription(s) with a single remediation task.

To enable and automate continuous export to Event Hub, click on the “Deploy to Azure” button and follow the steps as shown in the video below.

Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.

The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.

Automate continuous export to Log Analytics

Microsoft also released a custom policy definition that will help you to enable and export Azure Security Center alerts and/or recommendations to the Log Analytics workspace on your subscription. This Azure Policy definition will ensure that during the creation of new Azure subscription(s), and export to Log Analytics workspace with your conditions and target workspace will be configured for this subscription.

To enable and automate continuous export to the Log Analytics workspace, click on the “Deploy to Azure” button and follow the steps as shown in the video below. The onboarding experience is exactly the same as for Event Hub but with different input parameters.

Please note that once this custom policy is assigned with the desired scope location and input parameters, you need to wait at least 15 minutes for the policy to kick in. The policy won’t be triggered immediately, this is by design. Behind the scene, Azure Policy will create a remediation task as shown in the following screenshot.

The remediation task is super useful to onboard existing subscription(s) with continuous export, in this way the remediation step will be done automatically without any intervention from your side.

Summary

Continuous export is a great feature in Azure Security Center that can be used to configure and stream export data of Security alerts and recommendations to Azure Event Hub and Log Analytics workspace to be immediately notified and take necessary actions. Continuous export in Azure Security Center can also be integrated with a 3rd-party (SIEM) system, Microsoft cloud-native (SIEM) Azure Sentinel, and Azure Data Explorer.

In this article, you learned how to automate and enable continuous exports of your security recommendations and alerts in the Security Center to Azure Event Hub, as well as to the Log Analytics workspace.

There’s more…

Additional resources I highly encourage you to check:

• Workflow automation in Azure Security Center to automate your security operations.
• Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
• Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
• Learn more about Azure Security Center, check the official documentation from Microsoft.
• Learn more about Continuous export, check the following documentation from Microsoft.
• Learn more about Azure Policy, check the official documentation from Microsoft.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts