Recently Microsoft announced capabilities to export Azure Security Center Alerts and Recommendations to Azure Event Hub , Log Analytics Workspace or integrate it to a 3rd party SIEM(Security Information and Event Management) system in your environment.
In this post, I will share the process of exporting Security Center alerts to Azure Event Hub.
Before we start integration, we need to set up Azure Event Hub Namespace and an Event Hub. You can set up in the same subscription or can be in a different subscription. You can use Azure portal, Powershell or any IaC system like – Azure Resource Manager or Terraform etc. to create new Event Hub. Here I will use Azure portal for this example.
Set up Azure Event Hub
Login to Azure portal and search for Event Hub from the top search bar or from all services list in the left panel.
First, we will create a new Event Hub Namespace and add a new Event Hub in the namespace. If you already have Event Hub namespace and just want to add new Event Hub, skip to step 5.
- Click on Add button to start the process. Select an existing Resource Group or create a new one. Provide a name for the namespace.Select your preferred location, pricing tier and throughput units as shown in the screenshot:
2. Next, we can enable Availability Zones feature. This is an optional feature.
3. Apply tags or we can skip it. However, it is recommended to apply tags.
4. Finally Review and Create Event Hub namespace.
5. Once we have Event Hub namespace created, let’s create an Event Hub. In the left panel, click on Event Hubs as shown in the screenshot:
6. Click on +Event Hub as shown in the screenshot
7. Provide a name for the Event Hub and select number of Partitions. We can have maximum 32 partitions.
8. We will set up Shared Access Policy with proper permissions set. This will be used while configuring integration with Security Center.
Security Center Configuration
Now, we will configure Azure Security Center to integrate with Event Hub and export Alerts to it.
- In the Azure management console, search for Security Center or select it from all services list.
- Click on Pricing & settings from the left panel and then click on Continuous export as shown in the following screenshot:
3. Select Event Hub option in the right panel and for Export configuration select a Resource Group name from the drop-down list:
4. We need to select data types to from the Exported data types option to export to Event Hub. We can select Security Alerts and Security recommendations. We also need to further select severity of alerts or type of recommendations to be exported.
5. Now, provide Export target as previously configured Event Hub. Select Event Hub namespace, Event Hub and the Shared Access Policy as shown in following screenshot :
6. Finally, click on Save button.
We have successfully set up our integration between Azure Security Center and Event Hub. We can further integrate Azure Event Hub with 3rd party SIEM tool to visualize through dashboard or generate reports.