Following up on my previous post about the new detection for ATP for Azure Storage alerts, I received the following question: I’m trying to find the alert that I received in my workspace and my search results comes up blank. Why?
This is actually expected and can easily be reproduced, here my result when I search for alerts where the name contains “malware” (based on the alert of my previous post).
The reason for that is because not all security alerts are automatically saved in the workspace, and that’s why at Microsoft Ignite we released a new capability that allows you to continuously exportall security alerts and security recommendations to the Log Analytics workspace used by Azure Security Center.
To use this feature, open Azure Security Center dashboard, go to Pricing and Settings, select the subscription that you want to export data from, click Continuous Export and click Log Analytics workspace tab. Select the options as shown below (customize the settings according to your preference):
After making the appropriate selections, click Save. Keep in mind that if you are ingesting Azure Security Center alerts in Azure Sentinel using the ASC connector, you will receive the warning below, which bring awareness that you may have duplication if you use this feature:
Note: if you already have this integration, than the ATP for Azure Storage alerts will be already in the workspace anyway, therefore you don't need to export the alerts again.
Now if you want to validate, repeat the steps from my previous post to simulate the ATP for Azure Storage alert again. Once you finish, you can search for the alert in the workspace and you will see that it is there:
For more information about the Continue Export feature, read this article.