Continuously export Microsoft Defender for Cloud data

Microsoft Defender for Cloud generates detailed security alerts and recommendations. To analyze the information in these alerts and recommendations, you can export them to Azure Log Analytics, Event Hubs, or to another SIEM, SOAR, or IT Service Management solution. You can stream the alerts and recommendations as they're generated or define a schedule to send periodic snapshots of all of the new data.

With continuous export, you fully customize what will be exported and where it will go. For example, you can configure it so that:

• All high severity alerts are sent to an Azure event hub
• All medium or higher severity findings from vulnerability assessment scans of your SQL servers are sent to a specific Log Analytics workspace
• Specific recommendations are delivered to an event hub or Log Analytics workspace whenever they're generated
• The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more

This article describes how to configure continuous export to Log Analytics workspaces or Azure event hubs.

Tip

Defender for Cloud also offers the option to perform a one-time, manual export to CSV. Learn more in Manual one-time export of alerts and recommendations.

Availability

Aspect	Details
Release state:	General availability (GA)
Pricing:	Free
Required roles and permissions:	Security admin or Owner on the resource group Write permissions for the target resource. If you're using the Azure Policy 'DeployIfNotExist' policies, you'll also need permissions for assigning policies To export data to Event Hubs, you'll need Write permission on the Event Hubs Policy. To export to a Log Analytics workspace: if it has the SecurityCenterFree solution, you'll need a minimum of read permissions for the workspace solution: Microsoft.OperationsManagement/solutions/read if it doesn't have the SecurityCenterFree solution, you'll need write permissions for the workspace solution: Microsoft.OperationsManagement/solutions/action Learn more about Azure Monitor and Log Analytics workspace solutions
Clouds:	Commercial clouds National (Azure Government, Azure China 21Vianet)

What data types can be exported?

Continuous export can export the following data types whenever they change:

• Security alerts.
• Security recommendations.
• Security findings. Findings can be thought of as 'sub' recommendations and belong to a 'parent' recommendation. For example:
  • The recommendations System updates should be installed on your machines (powered by Update Center) and System updates should be installed on your machines each has one 'sub' recommendation per outstanding system update.
  • The recommendation Machines should have vulnerability findings resolved has a 'sub' recommendation for every vulnerability identified by the vulnerability scanner.

  Note

  If you’re configuring a continuous export with the REST API, always include the parent with the findings.

• Secure score per subscription or per control.
• Regulatory compliance data.

Set up a continuous export

You can configure continuous export from the Microsoft Defender for Cloud pages in Azure portal, via the REST API, or at scale using the supplied Azure Policy templates.

Use the Azure portal

Configure continuous export from the Defender for Cloud pages in Azure portal

If you're setting up a continuous export to Log Analytics or Azure Event Hubs:

1. From Defender for Cloud's menu, open Environment settings.

2. Select the specific subscription for which you want to configure the data export.

3. From the sidebar of the settings page for that subscription, select Continuous export.

   

   Here you see the export options. There's a tab for each available export target, either Event hub or Log Analytics workspace.

4. Select the data type you'd like to export and choose from the filters on each type (for example, export only high severity alerts).

5. Select the export frequency:

   • Streaming – assessments will be sent when a resource’s health state is updated (if no updates occur, no data will be sent).
   • Snapshots – a snapshot of the current state of the selected data types will be sent once a week per subscription. To identify snapshot data, look for the field IsSnapshot.

   If your selection includes one of these recommendations, you can include the vulnerability assessment findings together with them:

   • SQL databases should have vulnerability findings resolved
   • SQL servers on machines should have vulnerability findings resolved
   • Container registry images should have vulnerability findings resolved (powered by Qualys)
   • Machines should have vulnerability findings resolved
   • System updates should be installed on your machines

   To include the findings with these recommendations, enable the include security findings option.

   

6. From the "Export target" area, choose where you'd like the data saved. Data can be saved in a target of a different subscription (for example, on a Central Event Hubs instance or a central Log Analytics workspace).

   You can also send the data to an Event hubs or Log Analytics workspace in a different tenant.

7. Select Save.

Note

Log analytics supports records that are only up to 32KB in size. When the data limit is reached, you will see an alert telling you that the Data limit has been exceeded.

Use the REST API

Configure continuous export using the REST API

Continuous export can be configured and managed via the Microsoft Defender for Cloud automations API. Use this API to create or update rules for exporting to any of the following possible destinations:

• Azure Event Hubs
• Log Analytics workspace
• Azure Logic Apps

You can also send the data to an Event Hubs or Log Analytics workspace in a different tenant.

Here are some examples of options that you can only use in the API:

• Greater volume - You can create multiple export configurations on a single subscription with the API. The Continuous Export page in the Azure portal supports only one export configuration per subscription.

• Additional features - The API offers parameters that aren't shown in the Azure portal. For example, you can add tags to your automation resource and define your export based on a wider set of alert and recommendation properties than the ones offered in the Continuous Export page in the Azure portal.

• More focused scope - The API provides a more granular level for the scope of your export configurations. When defining an export with the API, you can do so at the resource group level. If you're using the Continuous Export page in the Azure portal, you have to define it at the subscription level.

  Tip

  These API-only options are not shown in the Azure portal. If you use them, there'll be a banner informing you that other configurations exist.

Deploy at scale with Azure Policy

Configure continuous export at scale using the supplied policies

Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

To deploy your continuous export configurations across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies to create and configure continuous export procedures.

To implement these policies

1. Select the policy you want to apply from this table:

   Goal	Policy	Policy ID
   Continuous export to Event Hubs	Deploy export to Event Hubs for Microsoft Defender for Cloud alerts and recommendations	cdfcce10-4578-4ecd-9703-530938e4abcb
   Continuous export to Log Analytics workspace	Deploy export to Log Analytics workspace for Microsoft Defender for Cloud alerts and recommendations	ffb6f416-7bd2-4488-8828-56585fef2be9

   Tip

   You can also find these by searching Azure Policy:

   1. Open Azure Policy.
   2. From the Azure Policy menu, select Definitions and search for them by name.

2. From the relevant Azure Policy page, select Assign.

3. Open each tab and set the parameters as desired:

   1. In the Basics tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use continuous export configuration.
   2. In the Parameters tab, set the resource group and data type details.

      Tip

      Each parameter has a tooltip explaining the options available to you.

      Azure Policy's parameters tab (1) provides access to similar configuration options as Defender for Cloud's continuous export page (2).

   3. Optionally, to apply this assignment to existing subscriptions, open the Remediation tab and select the option to create a remediation task.

4. Review the summary page and select Create.

Exporting to a Log Analytics workspace

If you want to analyze Microsoft Defender for Cloud data inside a Log Analytics workspace or use Azure alerts together with Defender for Cloud alerts, set up continuous export to your Log Analytics workspace.

Log Analytics tables and schemas

Security alerts and recommendations are stored in the SecurityAlert and SecurityRecommendation tables respectively.

The name of the Log Analytics solution containing these tables depends on whether you've enabled the enhanced security features: Security ('Security and Audit') or SecurityCenterFree.

Tip

To see the data on the destination workspace, you must enable one of these solutions Security and Audit or SecurityCenterFree.

To view the event schemas of the exported data types, visit the Log Analytics table schemas.

Export data to an Azure Event hub or Log Analytics workspace in another tenant

You can export data to an Azure Event hub or Log Analytics workspace in a different tenant, without using Azure Lighthouse. When collecting data into a tenant, you can analyze the data from one central location.

To export data to an Azure Event hub or Log Analytics workspace in a different tenant:

1. In the tenant that has the Azure Event hub or Log Analytics workspace, invite a user from the tenant that hosts the continuous export configuration.
2. For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, Monitoring Contributor
3. Configure the continuous export configuration and select the Event hub or Analytics workspace to send the data to.

You can also configure export to another tenant through the REST API. For more information, see the automations REST API.

Continuously export to an Event Hub behind a firewall

You can enable continuous export as a trusted service, so that you can send data to an Event Hub that has an Azure Firewall enabled.

To grant access to continuous export as a trusted service:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environmental settings.

3. Select the relevant resource.

4. Select Continuous export.

5. Select Export as a trusted service.

   

You'll now need to add the relevant role assignment on the destination Event Hub.

To add the relevant role assignment on the destination Event Hub:

1. Navigate to the selected Event Hub.

2. Select Access Control > Add role assignment

   

3. Select Azure Event Hubs Data Sender.

4. Select the Members tab.

5. Select + Select members.

6. Search for and select Windows Azure Security Resource Provider.

   

7. Select Review + assign.

View exported alerts and recommendations in Azure Monitor

You might also choose to view exported Security Alerts and/or recommendations in Azure Monitor.

Azure Monitor provides a unified alerting experience for various Azure alerts including Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace queries.

To view alerts and recommendations from Defender for Cloud in Azure Monitor, configure an Alert rule based on Log Analytics queries (Log Alert):

1. From Azure Monitor's Alerts page, select New alert rule.

   

2. In the create rule page, configure your new rule (in the same way you'd configure a log alert rule in Azure Monitor):

   • For Resource, select the Log Analytics workspace to which you exported security alerts and recommendations.

   • For Condition, select Custom log search. In the page that appears, configure the query, lookback period, and frequency period. In the search query, you can type SecurityAlert or SecurityRecommendation to query the data types that Defender for Cloud continuously exports to as you enable the Continuous export to Log Analytics feature.

   • Optionally, configure the Action Group that you'd like to trigger. Action groups can trigger email sending, ITSM tickets, WebHooks, and more.

You'll now see new Microsoft Defender for Cloud alerts or recommendations (depending on your configured continuous export rules and the condition you defined in your Azure Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group (if provided).

Manual one-time export of alerts and recommendations

To download a CSV report for alerts or recommendations, open the Security alerts or Recommendations page and select the Download CSV report button.

Tip

Due to Azure Resource Graph limitations, the reports are limited to a file size of 13K rows. If you're seeing errors related to too much data being exported, try limiting the output by selecting a smaller set of subscriptions to be exported.

Note

These reports contain alerts and recommendations for resources from the currently selected subscriptions.

FAQ - Continuous export

What are the costs involved in exporting data?

There's no cost for enabling a continuous export. Costs might be incurred for ingestion and retention of data in your Log Analytics workspace, depending on your configuration there.

Many alerts are only provided when you've enabled Defender plans for your resources. A good way to preview the alerts you'll get in your exported data is to see the alerts shown in Defender for Cloud's pages in the Azure portal.

Learn more about Log Analytics workspace pricing.

Learn more about Azure Event Hubs pricing.

Does the export include data about the current state of all resources?

No. Continuous export is built for streaming of events:

• Alerts received before you enabled export won't be exported.
• Recommendations are sent whenever a resource's compliance state changes. For example, when a resource turns from healthy to unhealthy. Therefore, as with alerts, recommendations for resources that haven't changed state since you enabled export won't be exported.
• Secure score per security control or subscription is sent when a security control's score changes by 0.01 or more.
• Regulatory compliance status is sent when the status of the resource's compliance changes.

Why are recommendations sent at different intervals?

Different recommendations have different compliance evaluation intervals, which can range from every few minutes to every few days. So, the amount of time that it takes for recommendations to appear in your exports varies.

Does continuous export support any business continuity or disaster recovery (BCDR) scenarios?

Continuous export can be helpful in to prepare for BCDR scenarios where the target resource is experiencing an outage or other disaster. However, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

Learn more in Azure Event Hubs - Geo-disaster recovery.

What is the minimum SAS policy permissions required when exporting data to Azure Event Hubs?

Send is the minimum SAS policy permissions required. For step-by-step instructions, see Step 1. Create an Event Hubs namespace and event hub with send permissions in this article.

Next steps

In this article, you learned how to configure continuous exports of your recommendations and alerts. You also learned how to download your alerts data as a CSV file.

For related material, see the following documentation:

• Learn more about workflow automation templates.
• Azure Event Hubs documentation
• Microsoft Sentinel documentation
• Azure Monitor documentation
• Export data types schemas