Connect data from Azure Security Center
Azure Sentinel enables you to connect alerts from Azure Security Center and stream them into Azure Sentinel.
If you want to export alerts from Azure Security Center, you must be a contributor on the subscription whose logs you stream.
You must log in with a user that has global administrator or security administrator permissions on each subscription you want to connect.
Connect to Azure Security Center
In Azure Sentinel, select Data connectors and then click the Azure Security Center tile.
In the right, click Connect next to each subscription whose alerts you want to stream into Azure Sentinel. Make sure to upgrade each subscription to Azure Security Center Standard tier to stream alerts to Azure Sentinel.
You can select whether you want the alerts from Azure Security Center to automatically generate incidents in Azure Sentinel automatically. Under Create incidents select Enable to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.
To use the relevant schema in Log Analytics for the Azure Security Center alerts, search for SecurityAlert.
In this document, you learned how to connect Azure Security Center to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.