Export Azure Security Center Alerts And Recommendations To Azure Event Hubs

6 min read

Introduction

Azure Security Center (ASC) is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. ASC periodically analyzing the security state of your resources whether they are deployed on Azure or on-premises to identify potential security vulnerabilities. It then provides you with security recommendations on how to remediate them which helps you to strengthen your Cloud Security Posture Management (CSPM).

Security Center also plays a vital role in the Cloud Workload Protection Platform (CWPP) to protect you against threats and generates security alerts for resources deployed on Azure, as well for resources deployed on-premises and hybrid cloud environments. Security alerts are triggered by advanced detection and behavioral analytics which are available only in the Standard Tier of Azure Security Center.

Continuous export is a new feature in Azure Security Center that went GA on March 30th, 2020 which can be used to configure the streaming export setting of security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace). Here are a few examples of workflows you can create around these new capabilities:

  • With Continuous Export to Log Analytics workspace, you can create custom dashboards with PowerBI.
  • With Continuous Export to Event Hub, you will be able to export Security Center alerts and recommendations to your 3rd-party Security Information and Event Management (SIEM) system, to a 3rd-party solution in real-time, or Azure Data Explorer.

Scenario

For example, you have a policy in your organization that dictates to automatically forward all security alerts and recommendations to third-party Security Information and Event Management (SIEM) solutions such as Splunk, IBM QRadar, and ArcSight. For this scenario, you can leverage Azure Event Hubs to stream and export Azure Security Center alerts and recommendation to your SIEM system.

Azure Event Hubs is a cloud-based, event-processing service which can receive and process millions of events per second. Event Hubs acts as a front door for an event pipeline, to receive incoming data and stores this data until processing resources are available.

In this article, I will show you how to integrate Azure Security Center with Event Hub so you can export security alerts and recommendations to your SIEM system. I will also show you how to read the alerts and recommendations from Event Hub.

For more information on how to export and integrate Azure Security Center alerts with Azure Monitor, please check the following article.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center Free tier or Standard tier enabled. Please note that the standard tier is required to leverage security alerts.
  3. An Event Hub namespace and an event hub in your Azure subscription. Learn how to create an event hub.

Please note that integrating third-party (SIEM) solutions with Azure Security Center is out of the scope in this article.

Setting up continuous export to Event Hub

To set up continuous export from Azure Security Center to Azure Event Hub, take the following steps:

  1. Open the Azure Portal and click on “Security Center” → “Pricing & settings”.
  2. Select the desired Azure subscription for which you want to configure continuous data export.
  3. From the sidebar under Settings, select “Continuous export“, and then select the “Event hub” tab as shown in the screenshot below. Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 1
  4. Next, you need to enable Export by toggling the switch to “On” and then select which data type you want to export. Then you need to choose what type of Security recommendations you want to export, as well as with their severity level (Low, Medium, or High). In this example, I will export all Security recommendations and select only “Medium, High” severity for recommendations and alerts as shown in the screenshot below. Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 2
  5. Next, you want to specify the “Export configuration” and “Export target“. Choose the desired resource group where this export configuration will reside, and then select the desired Subscription, the target Event Hub namespace, the Event Hub name and the Event Hub policy name. The subscription is set by default based on the selection that we did in Step 2. As shown in the screenshot below, saving data to the event hub will incur ingestion charges. Please refer to the Event Hubs pricing page here. Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 3
  6. Finally, click the “Save” button on the top of the Settings | Continuous export page. Please note that the changes may take up to 5 minutes to be reflected.

View Security alerts in Event Hub

Once you activate continuous export to Azure Event Hub, you can open the Event Hub Namespace and select the Event Hub that you specified. On the Overview page, you will see that the event hub started receiving Incoming Requests.

Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 4

Since my Event Hub Namespace is not connected to any third-party Security Information and Event Management (SIEM) solutions, I will leverage the Capture feature available in Event Hub to stream and store my events in a storage account as described in this article.

Next, I will simulate a suspicious PowerShell attack as described in this article, and then I will check the security alert in my Event Hub. Once Azure Security Center detects a security alert, it will be automatically exported to Event Hub, we can see now that we have Incoming Messages.

Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 5

Next, I will browse to my storage account | Blob | Containers and download the Avro file. Event Hubs Capture creates files in Avro format, as specified on the configured time window.

Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 6

You can view and download these Avro files in any tool such as Azure Storage Explorer. You can download the files locally to work on them using Avro Tools from Apache. In this example, I have downloaded Java and Avro Tools on my machine. Open a command-prompt (cmd) window and then run the following command to convert the Avro file to JSON format.

C:\Temp\java -jar avro-tools-1.9.2.jar tojson 47.avro > 47.json

If you open the JSON file now, you can see the security alert with full details as below “Suspicious PowerShell Activity Detected“.

{
\"VendorName\":\"Microsoft\",
\"AlertType\":\"SCUBA_PSINSIGHT\",
\"ProductName\":\"Azure Security Center\",
\"StartTimeUtc\":\"2020-04-02T08:04:51.4262586Z\",
\"EndTimeUtc\":\"2020-04-02T08:04:51.4262586Z\",
\"TimeGenerated\":\"2020-04-02T08:05:26.5227834Z\",
\"ProcessingEndTime\":\"2020-04-02T08:05:27.1946102Z\",
\"Severity\":\"High\",
\"Status\":\"New\",
\"ProviderAlertStatus\":null,
\"ConfidenceLevel\":\"Unknown\",
\"ConfidenceScore\":null,
\"ConfidenceReasons\":null,
\"IsIncident\":false,
\"SystemAlertId\":\"2518164861085737413_d6cddae8-5348-4c35-8d82-8498799365df\",
\"CorrelationKey\":null,
\"Intent\":\"Unknown\",
\"AzureResourceId\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG01/providers/Microsoft.Compute/virtualMachines/VD-JumpBox\",
\"WorkspaceId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"WorkspaceSubscriptionId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",
\"WorkspaceResourceGroup\":\"rg-az-security\",
\"AgentId\":\"557e4cf8-e6a3-464f-9bcb-efc8dec2e992\",
\"CompromisedEntity\":\"VD-JUMPBOX\",
\"AlertDisplayName\":\"Suspicious PowerShell Activity Detected\",
\"Description\":\"Analysis of host data detected a PowerShell script running on VD-JUMPBOX that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.\",
\"Entities\":[{\"$id\":\"4\",
	\"DnsDomain\":\"\",
	\"NTDomain\":\"\",
	\"HostName\":\"VD-JUMPBOX\",
	\"NetBiosName\":\"VD-JUMPBOX\",
	\"AzureID\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG01/providers/Microsoft.Compute/virtualMachines/VD-JumpBox\",
	\"OMSAgentID\":\"557e4cf8-e6a3-464f-9bcb-efc8dec2e992\",
	\"OSFamily\":\"Windows\",
	\"OSVersion\":\"Windows\",
	\"IsDomainJoined\":false,}]	
\"RemediationSteps\":[\"Review with VD-JUMPBOX\\\\cnadmin the suspicious script in this alert to see if you recognize this as legitimate administrative activity. If not, Escalate the alert to the information security team.\"],
\"ExtendedProperties\":{\"Compromised Host\":\"VD-JUMPBOX\",
\"User Name\":\"VD-JUMPBOX\\\\cnadmin\",
\"Account Session Id\":\"0x39a2df\",
\"Suspicious Process\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",
\"Suspicious Command Line\":\"powershell  -nop -exec bypass -encodedcommand \\\"cabvahcazqbyahmaaablagwabaagac0aywbvag0abqbhag4azaagaciajgagahsaiabpahcacgagaggadab0ahaacwa6ac8alwbkag8adwbuagwabwbhagqalgbzahkacwbpag4adablahiabgbhagwacwauagmabwbtac8azgbpagwazqbzac8auwb5ahmabqbvag4algb6agkacaagac0atwb1ahqargbpagwazqagagmaogbcahqazqbtahaaxabzahyaywboag8acwb0ac4azqb4aguaiab9acia\\\"\",
\"Parent Process\":\"c:\\\\windows\\\\system32\\\\cmd.exe\",
\"Suspicious Process Id\":\"0x1cac\",
\"Suspicious Script\":\"powershell -command \\\"& { iwr https://download.sysinternals.com/files/Sysmon.zip -OutFile c:\\\\temp\\\\svchost.exe }\",
}

The same is shown in Security Center | Security alerts dashboard.

Export Azure Security Center Alerts And Recommendations To Azure Event Hubs 7

So now we verified that Azure Security Center’s continuous export to Event Hub is working as expected.

If you are using one of the supported third-party SIEM solutions such as Splunk, IBM QRadar, and ArcSight, you could see the same results for any security alert or recommendation with faster index search.

Summary

Continuous export is a great feature in Azure Security Center that can be used to configure and stream export data of Security alerts and recommendations to multiple export targets such as Azure Event Hub and Azure Monitor (Log Analytics workspace) to be immediately notified and take necessary actions. Continuous export in Azure Security Center can also be integrated with a 3rd-party (SIEM) system, Microsoft cloud-native (SIEM) Azure Sentinel and Azure Data Explorer.

In this article, you learned how to configure continuous exports of your security recommendations and alerts in the Security Center to Azure Event Hub, and then we read the security alerts in Event Hub.

There’s more…

I highly recommend checking Workflow automation in Azure Security Center to automate your security operations. Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).

What about if you have a large number of Azure subscriptions that you want to onboard with continuous export to Event Hub. Stay tuned for the next article where I will show you how to automate and enable continuous export to Event Hub for many subscriptions.

To learn more about Azure Security Center, check the official documentation from Microsoft. For more information about Continuous export, please check the following document.

To learn more about Azure Event Hub, check the official documentation from Microsoft here.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 576 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.