Continuously export Microsoft Defender for Cloud data

Microsoft Defender for Cloud generates detailed security alerts and recommendations. You can view them in the portal or through programmatic tools. You might also need to export some or all of this information for tracking with other monitoring tools in your environment.

You fully customize what will be exported, and where it will go with continuous export. For example, you can configure it so that:

  • All high severity alerts are sent to an Azure Event Hub
  • All medium or higher severity findings from vulnerability assessment scans of your SQL servers are sent to a specific Log Analytics workspace
  • Specific recommendations are delivered to an Event Hub or Log Analytics workspace whenever they're generated
  • The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more

Even though the feature is called continuous, there's also an option to export weekly snapshots.

This article describes how to configure continuous export to Log Analytics workspaces or Azure Event Hubs.


If you need to integrate Defender for Cloud with a SIEM, see Stream alerts to a SIEM, SOAR, or IT Service Management solution.


Defender for Cloud also offers the option to perform a one-time, manual export to CSV. Learn more in Manual one-time export of alerts and recommendations.


Aspect Details
Release state: General availability (GA)
Pricing: Free
Required roles and permissions:
  • Security admin or Owner on the resource group
  • Write permissions for the target resource.
  • If you're using the Azure Policy 'DeployIfNotExist' policies described below you'll also need permissions for assigning policies
  • To export data to Event Hub, you'll need Write permission on the Event Hub Policy.
  • To export to a Log Analytics workspace:
    • if it has the SecurityCenterFree solution, you'll need a minimum of read permissions for the workspace solution: Microsoft.OperationsManagement/solutions/read
    • if it doesn't have the SecurityCenterFree solution, you'll need write permissions for the workspace solution: Microsoft.OperationsManagement/solutions/action
    • Learn more about Azure Monitor and Log Analytics workspace solutions
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

What data types can be exported?

Continuous export can export the following data types whenever they change:

Set up a continuous export

You can configure continuous export from the Microsoft Defender for Cloud pages in Azure portal, via the REST API, or at scale using the supplied Azure Policy templates. Select the appropriate tab below for details of each.

Configure continuous export from the Defender for Cloud pages in Azure portal

The steps below are necessary whether you're setting up a continuous export to Log Analytics workspace or Azure Event Hubs.

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the specific subscription for which you want to configure the data export.

  3. From the sidebar of the settings page for that subscription, select Continuous Export.

    Export options in Microsoft Defender for Cloud.

    Here you see the export options. There's a tab for each available export target.

  4. Select the data type you'd like to export and choose from the filters on each type (for example, export only high severity alerts).

  5. Select the appropriate export frequency:

    • Streaming – assessments will be sent when a resource’s health state is updated (if no updates occur, no data will be sent).
    • Snapshots – a snapshot of the current state of the selected data types will be sent once a week per subscription. To identify snapshot data, look for the field IsSnapshot.
  6. Optionally, if your selection includes one of these recommendations, you can include the vulnerability assessment findings together with them:

    To include the findings with these recommendations, enable the include security findings option.

    Include security findings toggle in continuous export configuration.

  7. From the "Export target" area, choose where you'd like the data saved. Data can be saved in a target on a different subscription (for example on a Central Event Hub instance or a central Log Analytics workspace).

  8. Select Save.


Log analytics supports records that are only up to 32KB in size. When the data limit is reached, you will see an alert telling you that the Data limit has been exceeded.

Information about exporting to a Log Analytics workspace

If you want to analyze Microsoft Defender for Cloud data inside a Log Analytics workspace or use Azure alerts together with Defender for Cloud alerts, set up continuous export to your Log Analytics workspace.

Log Analytics tables and schemas

Security alerts and recommendations are stored in the SecurityAlert and SecurityRecommendation tables respectively.

The name of the Log Analytics solution containing these tables depends on whether you have enabled the enhanced security features: Security ('Security and Audit') or SecurityCenterFree.


To see the data on the destination workspace, you must enable one of these solutions Security and Audit or SecurityCenterFree.

The SecurityAlert table in Log Analytics.

To view the event schemas of the exported data types, visit the Log Analytics table schemas.

View exported alerts and recommendations in Azure Monitor

You might also choose to view exported Security Alerts and/or recommendations in Azure Monitor.

Azure Monitor provides a unified alerting experience for a variety of Azure alerts including Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace queries.

To view alerts and recommendations from Defender for Cloud in Azure Monitor, configure an Alert rule based on Log Analytics queries (Log Alert):

  1. From Azure Monitor's Alerts page, select New alert rule.

    Azure Monitor's alerts page.

  2. In the create rule page, configure your new rule (in the same way you'd configure a log alert rule in Azure Monitor):

    • For Resource, select the Log Analytics workspace to which you exported security alerts and recommendations.

    • For Condition, select Custom log search. In the page that appears, configure the query, lookback period, and frequency period. In the search query, you can type SecurityAlert or SecurityRecommendation to query the data types that Defender for Cloud continuously exports to as you enable the Continuous export to Log Analytics feature.

    • Optionally, configure the Action Group that you'd like to trigger. Action groups can trigger email sending, ITSM tickets, WebHooks, and more. Azure Monitor alert rule.

You'll now see new Microsoft Defender for Cloud alerts or recommendations (depending on your configured continuous export rules and the condition you defined in your Azure Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group (if provided).

Manual one-time export of alerts and recommendations

To download a CSV report for alerts or recommendations, open the Security alerts or Recommendations page and select the Download CSV report button.


Due to Azure Resource Graph limitations, the reports are limited to a file size of 13K rows. If you're seeing errors related to too much data being exported, try limiting the output by selecting a smaller set of subscriptions to be exported.

Download alerts data as a CSV file.


These reports contain alerts and recommendations for resources from the currently selected subscriptions.

FAQ - Continuous export

What are the costs involved in exporting data?

There is no cost for enabling a continuous export. Costs might be incurred for ingestion and retention of data in your Log Analytics workspace, depending on your configuration there.

Learn more about Log Analytics workspace pricing.

Learn more about Azure Event Hub pricing.

Does the export include data about the current state of all resources?

No. Continuous export is built for streaming of events:

  • Alerts received before you enabled export won't be exported.
  • Recommendations are sent whenever a resource's compliance state changes. For example, when a resource turns from healthy to unhealthy. Therefore, as with alerts, recommendations for resources that haven't changed state since you enabled export won't be exported.
  • Secure score per security control or subscription is sent when a security control's score changes by 0.01 or more.
  • Regulatory compliance status is sent when the status of the resource's compliance changes.

Why are recommendations sent at different intervals?

Different recommendations have different compliance evaluation intervals, which can vary from a few minutes to every few days. Consequently, recommendations will differ in the amount of time it takes for them to appear in your exports.

Does continuous export support any business continuity or disaster recovery (BCDR) scenarios?

When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

Learn more in Azure Event Hubs - Geo-disaster recovery.

Is continuous export available for free?

Yes! Note that many alerts are only provided when you've enabled advanced protections. A good way to preview the alerts you'll get in your exported data is to see the alerts shown in Defender for Cloud's pages in the Azure portal.

Next steps

In this article, you learned how to configure continuous exports of your recommendations and alerts. You also learned how to download your alerts data as a CSV file.

For related material, see the following documentation: