Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Continuous export of Microsoft Defender for Cloud alerts and recommendations helps you analyze security data in Log Analytics or Azure Event Hubs. You can configure continuous export at scale by using Azure Policy templates.
Tip
Defender for Cloud also supports one-time manual export to a comma-separated values (CSV) file. For instructions, see Export alerts to CSV.
Prerequisites
You need a Microsoft Azure subscription. If you don't have one, you can sign up at the Azure free subscription page.
You must enable Microsoft Defender for Cloud on your Azure subscription. For setup instructions, see Enable Defender for Cloud.
Required roles and permissions:
Security Admin or Owner for the resource group
Write permissions for the target resource.
If you use the Azure Policy DeployIfNotExist policies, you must have permissions that let you assign policies.
To export data to Event Hubs, you must have Write permissions on the Event Hubs policy.
To export to a Log Analytics workspace:
- If it has the SecurityCenterFree solution, you must have a minimum of Read permissions for the workspace solution:
Microsoft.OperationsManagement/solutions/read. - If it doesn't have the SecurityCenterFree solution, you must have write permissions for the workspace solution:
Microsoft.OperationsManagement/solutions/action.
For more information about workspace solutions, see Azure Monitor and Log Analytics workspace solutions.
- If it has the SecurityCenterFree solution, you must have a minimum of Read permissions for the workspace solution:
Set up continuous export at scale with Azure Policy
Automating monitoring and incident response can reduce investigation and mitigation time.
To deploy continuous export configurations across your organization, use the provided Azure Policy DeployIfNotExist policies.
To implement these policies:
Select a policy to apply:
Goal Policy Policy ID Continuous export to Event Hubs Deploy export to Event Hubs for Microsoft Defender for Cloud alerts and recommendations cdfcce10-4578-4ecd-9703-530938e4abcb Continuous export to Log Analytics workspace Deploy export to Log Analytics workspace for Microsoft Defender for Cloud alerts and recommendations ffb6f416-7bd2-4488-8828-56585fef2be9 Select Assign.
Select each tab and set parameters based on your requirements:
- On the Basics tab, set the policy scope. For centralized management, assign the policy to the management group that contains the subscriptions that use this continuous export configuration.
- On the Parameters tab, set the resource group name, location, and Event Hubs details.
- (Optional) On the Remediation tab, create a remediation task to apply this assignment to existing subscriptions.
Review the summary page.
Select Create.
