Stream alerts to a SIEM, SOAR, or IT Service Management solution
Azure Security Center can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.
There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:
- Azure Sentinel
- Splunk Enterprise and Splunk Cloud
- IBM's QRadar
- Power BI
- Palo Alto Networks
Stream alerts to Azure Sentinel
Security Center natively integrates with Azure Sentinel, Azure's cloud-native SIEM and SOAR solution.
Azure Sentinel's connectors for Security Center
Azure Sentinel includes built-in connectors for Azure Security Center at the subscription and tenant levels:
- Stream alerts to Azure Sentinel at the subscription level
- Connect all subscriptions in your tenant to Azure Sentinel
Configure ingestion of all audit logs into Azure Sentinel
Another alternative for investigating Security Center alerts in Azure Sentinel is to stream your audit logs into Azure Sentinel: - Connect Windows security events - Collect data from Linux-based sources using Syslog - Connect data from Azure Activity log
Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Azure Sentinel offers a flexible and predictable pricing model. Learn more at the Azure Sentinel pricing page.
Stream alerts with Microsoft Graph Security API
Security Center has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no additional costs.
You can use this API to stream alerts from your entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:
- Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add-On for Splunk
- Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop
- ServiceNow - Follow the instructions to install and configure the Microsoft Graph Security API application from the ServiceNow Store
- QRadar - IBM's Device Support Module for Azure Security Center via Microsoft Graph API
- Palo Alto Networks, Anomali, Lookout, InSpark, and more - Microsoft Graph Security API
Stream alerts with Azure Monitor
To stream alerts into ArcSight, Splunk, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions. connect Security Center with Azure monitor via Azure Event Hubs:
Enable continuous export to stream Security Center alerts into a dedicated Azure Event Hub at the subscription level.
To do this at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale
Optionally, stream the raw logs to the Azure Event Hub and connect to your preferred solution. Learn more in Monitoring data available.
To view the event schemas of the exported data types, visit the Event Hub event schemas.
This page explained how to ensure your Azure Security Center alert data is available in your SIEM, SOAR, or ITSM tool of choice. For related material, see: