Connect data from Azure Security Center (ASC)
Azure Sentinel enables you to connect alerts from Azure Security Center and stream them into Azure Sentinel.
To export alerts from Azure Security Center, you must have the Security Reader role in the subscription of the logs you stream.
Connect to Azure Security Center
In Azure Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Security Center, and click the Open connector page button.
Under Configuration, click Connect next to each subscription whose alerts you want to stream into Azure Sentinel. The Connect button will be available only if you have the required permissions and the ASC Standard tier subscription.
You can select whether you want the alerts from Azure Security Center to automatically generate incidents in Azure Sentinel. Under Create incidents, select Enabled to turn on the default analytics rule that automatically creates incidents from alerts. You can then edit this rule under Analytics, in the Active rules tab.
To use the relevant schema in Log Analytics for the Azure Security Center alerts, search for SecurityAlert.
In this document, you learned how to connect Azure Security Center to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.