Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.
Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.
Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.
Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.
The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:
- Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
- Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
- Export in a CSV file, for individual data exports (one shot).
The configuration is simple and can be carried out using the following procedure.
In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:
In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.
The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.
By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.
These are the two default alert rules created:
Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.
The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).
The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:
- Splunk: Azure Monitor Add-On for Splunk
- IBM QRadar: Use a manually configured source log
- ArcSight: SmartConnector
In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.
To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.
With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.