Stream alerts to a SIEM, SOAR, or IT Service Management solution

Azure Security Center can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.

There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:

  • Azure Sentinel
  • Splunk Enterprise and Splunk Cloud
  • IBM's QRadar
  • ServiceNow
  • ArcSight
  • Power BI
  • Palo Alto Networks

Stream alerts to Azure Sentinel

Security Center natively integrates with Azure Sentinel, Azure's cloud-native SIEM and SOAR solution.

Learn more about Azure Sentinel.

Azure Sentinel's connectors for Security Center

Azure Sentinel includes built-in connectors for Azure Security Center at the subscription and tenant levels:

Configure ingestion of all audit logs into Azure Sentinel

Another alternative for investigating Security Center alerts in Azure Sentinel is to stream your audit logs into Azure Sentinel: - Connect Windows security events - Collect data from Linux-based sources using Syslog - Connect data from Azure Activity log

Tip

Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Azure Sentinel offers a flexible and predictable pricing model. Learn more at the Azure Sentinel pricing page.

Stream alerts with Microsoft Graph Security API

Security Center has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no additional costs.

You can use this API to stream alerts from your entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:

Learn more about Microsoft Graph Security API.

Stream alerts with Azure Monitor

To stream alerts into ArcSight, Splunk, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions. connect Security Center with Azure monitor via Azure Event Hubs:

  1. Enable continuous export to stream Security Center alerts into a dedicated Azure Event Hub at the subscription level.

    Tip

    To do this at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale

  2. Connect the Azure Event hub to your preferred solution using Azure Monitor's built-in connectors.

  3. Optionally, stream the raw logs to the Azure Event Hub and connect to your preferred solution. Learn more in Monitoring data available.

Tip

To view the event schemas of the exported data types, visit the Event Hub event schemas.

Next steps

This page explained how to ensure your Azure Security Center alert data is available in your SIEM, SOAR, or ITSM tool of choice. For related material, see: