Azure Security Center search

Azure Security Center uses Log Analytics search to retrieve and analyze your security data. Log Analytics includes a query language to quickly retrieve and consolidate data. From Security Center, you can leverage Log Analytics search to construct queries and analyze collected data.

Search is available in both the Free tier and Standard tier of Security Center. The data available in your log searches is dependent on the tier level applied to your workspace. See the Security Center pricing page for more information.

Note

Security Center does not save security data for a workspace under the Free tier. You can send a variety of logs to a workspace under the Free tier and search on that data but search results do not include data from Security Center. Security Center only saves data to a workspace under the Standard tier.

  1. Under the Security Center main menu, select Search.

    Select Log search

  2. Security Center lists all workspaces under your Azure subscriptions. Select a workspace. (If you have only one workspace, this workspace selector does not appear.)

    Select a workspace

  3. Log Search opens. To query for more data under the selected workspace, enter this example query:

    SecurityEvent | where EventID == 4625 | summarize count() by TargetAccount

    Result shows all accounts that failed to logon (event 4625).

    Search results

See Log Analytics query language for more information on how to query for data under the selected workspace.

Next steps

In this article you learned how to access search in Security Center. Security Center uses Log Analytics search. To learn more about Log Analytics search, see:

To learn more about Security Center, see: