Day 9 #100DaysOfCloud
Azure Security Center
Azure Security Center is an infrastructure security management solution which provides organisations with tools to strengthen security and defend against threats in a native, integrated service.
Azure Event Hubs is a real-time data service that can ingest millions of events per second from almost any data source.
In March 2020, Azure Security Center made a feature called Continuous Export publicly available, allowing organisations to export security alerts and recommendations to external systems, through Event Hubs.
This enables integration with Azure Sentinel, 3rd party SIEM solutions, Azure Data Explorer, and Azure Functions
Enable Continuous Export
Setting up Continue Export from Security Center to Event Hubs is straightfoward. First, you’ll need to have an Event Hub instance already available. If you need to, you can create one now.
With an Event Hubs instance, then you can get started.
From the Azure Portal, open Security Center, then click Pricing & Settings
- Choose your Subscription from the list
- Choose Continuous Export
- In the Settings | Continuous Export pane, choose Event Hub, then slide the toggle to On
- Once the Event Hub is Enabled, choose which data types you wish to export. Example is shown below:
- Resource Group where this configuration will live
- Event Hub that will be the target for data.
- Click Save
- To verify that data is being ingested, head to the EventHub Instance and click Overview:
Most SIEM solutions are able to collect data from an Event Hubs instance, so check out the documentation for your specific needs.