Azure Security data export to SIEM- Pipeline Configuration [Preview]
This document details the procedure to export Azure Security Center security data to a SIEM.
Processed events produced by Azure Security Center are published to the Azure Activity log, one of the log types available through Azure Monitor. Azure Monitor offers a consolidated pipeline for routing any of your monitoring data into a SIEM tool. This is done by streaming that data to an Event Hub where it can then be pulled into a partner tool.
This pipe uses the Azure Monitoring single pipeline for getting access to the monitoring data from your Azure environment. This enables you to easily set up SIEMs and monitoring tools to consume the data.
The next sections describe how you can configure data to be streamed to an event hub. The steps assume that you already have Azure Security Center configured in your Azure subscription.
What is the Azure security data exposed to SIEM?
In this preview version we expose the security alerts. In upcoming releases, we will enrich the data set with security recommendations.
How to setup the pipeline?
Create an Event Hub
Before you begin, you need to create an Event Hubs namespace. This namespace and Event Hub is the destination for all your monitoring data.
Stream the Azure Activity Log to Event Hubs
Please refer to the following article stream activity log to Event Hubs
Install a partner SIEM connector
Routing your monitoring data to an Event Hub with Azure Monitor enables you to easily integrate with partner SIEM and monitoring tools.
Refer to the following link to see the list of supported SIEMs
Example for Querying data
Here is a couple of Splunk queries that you can use to pull alert data:
|Description of Query||Query|
|All Alerts||index=main Microsoft.Security/locations/alerts|
|Summarize count of operations by their name||index=main sourcetype="amal:security" | table operationName | stats count by operationName|
|Get Alerts info: Time, Name, State, ID, and Subscription||index=main Microsoft.Security/locations/alerts | table _time, properties.eventName, State, properties.operationId, am_subscriptionId|