locked
Exporting Security Data from Security Center to Event Hub and then to a SIEM solution RRS feed

  • Question

  • I was going through the below URL :

    https://docs.microsoft.com/en-us/azure/security-center/continuous-export 

    My customer has Splunk as their external SIEM solution and they would like to get all the Azure Security Data in their SIEM solution. They have event hub configured and Event Hub is getting all the Azure Platform Logs and Activity Logs , Logs related to AD and then using Diagnostic Settings you send that data to Event Hubs from where it will go to the Splunk SIEM Solution.

    I was told that there is no filter mechanism in Event Hubs and whatever data is sent to Event Hub will be consumed by Event Consumer which is Splunk here.

    So if i just want to send Security related data and events for all my resources in Azure to the Splunk Solution, do i need to just configure my Security Center export and choose "Security Alert" & "Security Recommendations" and send to Event Hubs and from there to Splunk, will that help? Will these two Security Center alert categories be having all the security related events from my various Azure resources and will that fulfil my objective of sending only security related events to SIEM?


    Pallab Chakraborty

    Sunday, April 5, 2020 4:04 AM

Answers

  • Hi Palchak,

    You to publish the Security Center alerts to Azure Monitor Activity log, then export those logs to an Event Hub, install a partner SIEM connector, and stream from Event Hub your logs into the Splunk solution. 

    Miri Landau who is a senior PM for Azure Security Center wrote a blog post about how to do this:

    "To move your Azure Security Center alerts to a partner SIEM solution, you first need to complete a few steps of using Azure Monitor and then Event Hub. Azure Security Center alerts are published to the Azure Monitor Activity log, one of the log types available through Azure Monitor. From Azure Monitor, you export your logs using the Azure Monitoring single pipeline to an Event Hub. Finally, on the SIEM server, you need to install a partner SIEM connector. Then you can stream from the Event Hub your logs into the SIEM solution."


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, April 8, 2020 12:05 AM