%3CLINGO-SUB%20id%3D%22lingo-sub-1440745%22%20slang%3D%22en-US%22%3EContinuously%20Export%20Azure%20Security%20Center%20Alerts%20and%20Recommendations%20via%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440745%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fcontinuous-export%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EContinuous%20Export%3C%2FA%3E%20feature%20in%20Azure%20Security%20Center%20helps%20you%20to%20centralize%20the%20location%20(Event%20Hub%20or%20Log%20Analytics%20Workspace)%20to%20where%20the%20logs%20will%20be%20streamed.%20By%20default%2C%20the%20configuration%20for%20this%20feature%20is%20done%20on%20the%20subscription%20level%2C%20and%20this%20can%20be%20challenge%20for%20organizations%20that%20have%20multiple%20subscriptions%20and%20want%20to%20keep%20the%20same%20configuration%20across%20multiple%20subscriptions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20new%20Azure%20Policy%20definitions%20that%20you%20can%20leverage%20to%20deploy%20the%20Continuous%20Export.%20Follow%20the%20steps%20below%20to%20configure%20it%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Open%20Azure%20Policy%20dashboard%20in%20Azure.%3C%2FP%3E%0A%3CP%3E2.%20Click%20%3CSTRONG%3EDefinitions%3C%2FSTRONG%3E%20in%20the%20left%20navigation%20pane%3C%2FP%3E%0A%3CP%3E3.%20In%20the%20%3CSTRONG%3ESearch%3C%2FSTRONG%3E%20box%2C%20type%20%3CEM%3Eexport%3C%2FEM%3E.%20Figure%20below%20has%20an%20example%20of%20those%20definitions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig1.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196514i82D46CEE18189FE3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig1.JPG%22%20alt%3D%22Fig1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4.%20Let%E2%80%99s%20say%20you%20want%20to%20configure%20your%20Continuous%20Export%20for%20Alerts%20and%20Recommendations%20to%20be%20stored%20in%20a%20Log%20Analytics%20Workspace.%20Click%20%3CEM%3EDeploy%20export%20to%20Log%20Analytics%20workspace%20for%20Azure%20Security%20Center%20alerts%20and%20recommendations%3C%2FEM%3E%20definition%20and%20the%20page%20below%20appears%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig2.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196516i29318705F4108CA9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig2.JPG%22%20alt%3D%22Fig2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E5.%20Click%20%3CSTRONG%3EAssign%3C%2FSTRONG%3E%20button.%3C%2FP%3E%0A%3CP%3E6.%20In%20the%20%3CSTRONG%3EBasics%3C%2FSTRONG%3E%20tab%2C%20select%20the%20%3CSTRONG%3EScope%3C%2FSTRONG%3E%20that%20you%20want%20to%20assign.%26nbsp%3BIf%20you%20want%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fcentralized-policy-management-in-azure-security-center-using%2Fba-p%2F1276331%22%20target%3D%22_self%22%3Ecentralized%20management%3C%2FA%3E%2C%20make%20sure%20to%20assign%20this%20policy%20to%20the%20%3CEM%3EManagement%20Group%3C%2FEM%3E%20that%20has%20all%20subscriptions%20that%20you%20want%20to%20have%20the%20configuration.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E7%20Click%20%3CSTRONG%3EParameters%3C%2FSTRONG%3E%20tab%2C%20and%20the%20options%20below%20will%20be%20available%20for%20you%20to%20customize%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20for%20the%20detail%20explanation%20on%20each%20parameter%2C%20you%20can%20also%20click%20on%20the%20tooltips%20(i)%20besides%20the%20parameter%20name.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig3.JPG%22%20style%3D%22width%3A%20781px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196518iF5D8875672A037FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig3.JPG%22%20alt%3D%22Fig3.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E8.%20The%20%3CSTRONG%3EParameters%3C%2FSTRONG%3E%20here%20are%20the%20same%20ones%20that%20you%20configure%20in%20the%20Continuous%20Export%20UI.%20All%20parameters%20are%20mandatory%2C%20except%20%3CEM%3ERecommendation%20ID%3C%2FEM%3E%2C%20which%20can%20be%20blank%20in%20case%20you%20want%20to%20export%20all%20recommendations.%3C%2FP%3E%0A%3CP%3E9.%20Click%20%3CSTRONG%3ERemediation%3C%2FSTRONG%3E%20tab%20and%20select%20the%20option%20to%20create%20a%20remediation%20task%20for%20existing%20subscriptions.%3C%2FP%3E%0A%3CP%3E10.%20Review%20the%20summary%20page%20and%20click%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%20button.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20deploy%20this%20policy%20on%20newly%20created%20subscriptions%2C%20open%20the%20%3CSTRONG%3ECompliance%3C%2FSTRONG%3E%20tab%2C%20select%20the%20relevant%20non-compliant%20assignment%2C%20and%20create%20a%20remediation%20task.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20to%20take%20advantage%20of%20this%20policy%20to%20control%20the%20configuration%20of%20your%20Azure%20Security%20Center%20continuous%20export%20feature%20across%20different%20subscriptions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReviewers%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOr%20Serok-Jeppa%2C%20Program%20Manager%20%E2%80%93%20ASC%20Engineering%20Team%3C%2FP%3E%0A%3CP%3EKeren%20Shani%2C%20Software%20Engineer%20%E2%80%93%20ASC%20Engineering%20Team%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1440745%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

The Continuous Export feature in Azure Security Center helps you to centralize the location (Event Hub or Log Analytics Workspace) to where the logs will be streamed. By default, the configuration for this feature is done on the subscription level, and this can be challenge for organizations that have multiple subscriptions and want to keep the same configuration across multiple subscriptions.

 

Implementation

There are two new Azure Policy definitions that you can leverage to deploy the Continuous Export. Follow the steps below to configure it:

 

1. Open Azure Policy dashboard in Azure.

2. Click Definitions in the left navigation pane

3. In the Search box, type export. Figure below has an example of those definitions:

 

Fig1.JPG

 

4. Let’s say you want to configure your Continuous Export for Alerts and Recommendations to be stored in a Log Analytics Workspace. Click Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations definition and the page below appears:

 

Fig2.JPG

 

5. Click Assign button.

6. In the Basics tab, select the Scope that you want to assign. If you want to use centralized management, make sure to assign this policy to the Management Group that has all subscriptions that you want to have the configuration. 

7 Click Parameters tab, and the options below will be available for you to customize:

Note: for the detail explanation on each parameter, you can also click on the tooltips (i) besides the parameter name.

 

Fig3.JPG

 

8. The Parameters here are the same ones that you configure in the Continuous Export UI. All parameters are mandatory, except Recommendation ID, which can be blank in case you want to export all recommendations.

9. Click Remediation tab and select the option to create a remediation task for existing subscriptions.

10. Review the summary page and click Create button.

 

To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment, and create a remediation task.

 

Make sure to take advantage of this policy to control the configuration of your Azure Security Center continuous export feature across different subscriptions.

 

Reviewers

Or Serok-Jeppa, Program Manager – ASC Engineering Team

Keren Shani, Software Engineer – ASC Engineering Team