Connect data from Azure Security Center

Azure Sentinel enables you to connect alerts from Azure Security Center and stream them into Azure Sentinel.

Prerequisites

  • If you want to export alerts from Azure Security Center, you must be a contributor on the subscription whose logs you stream.

  • You must have the Azure Security Center Standard tier running on the subscription. If not, upgrade your subscription to standard.

  • You must log in with a user that has global administrator or security administrator permissions on each subscription you want to connect.

Connect to Azure Security Center

  1. In Azure Sentinel, select Data connectors and then click the Azure Security Center tile.

  2. In the right, click Connect next to each subscription whose alerts you want to stream into Azure Sentinel. Make sure to upgrade each subscription to Azure Security Center Standard tier to stream alerts to Azure Sentinel.

  3. You can select whether you want the alerts from Azure Security Center to automatically generate incidents in Azure Sentinel automatically. Under Create incidents select Enable to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.

  4. Click Connect.

  5. To use the relevant schema in Log Analytics for the Azure Security Center alerts, search for SecurityAlert.

Next steps

In this document, you learned how to connect Azure Security Center to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: