Edit

Share via

View exported data in Azure Monitor

After you've set up continuous export of Microsoft Defender for Cloud security alerts and recommendations, you can view the data in Azure Monitor. This article describes how to view the data in Log Analytics or in Azure Event Hubs and create alert rules in Azure Monitor based on that data.

Prerequisites

Before you begin, setup continuous export with one of these methods:

View exported data in Log Analytics

When you export Defender for Cloud data to a Log Analytics workspace, two main tables are created automatically:

  • SecurityAlert
  • SecurityRecommendation

You can query these tables in Log Analytics to confirm that continuous export is working.

  1. Sign in to the Azure portal.

  2. Search for and select Log Analytics workspaces.

  3. Select the workspace that you configured as your continuous export target.

  4. In the workspace menu, under General, select Logs.

  5. In the query window, enter one of the following queries and select Run:

    SecurityAlert

    or

    SecurityRecommendation

View exported data in Azure Event Hubs

When you export data to Azure Event Hubs, Defender for Cloud continuously streams alerts and recommendations as event messages. You can view these exported events in the Azure portal and analyze them further by connecting a downstream service.

  1. Sign in to the Azure portal.

  2. Search for and select Event Hubs namespaces.

  3. Select the namespace and event hub that you configured for continuous export.

  4. In the event hub menu, select Metrics to view message activity, or Process data > Capture to review event contents stored in your capture destination.

  5. Optionally, use a connected tool such as Microsoft Sentinel, a SIEM, or a custom consumer app to read and process the exported events.

Note

Defender for Cloud sends data in JSON format. You can use Event Hubs Capture or consumer groups to store and analyze the exported events.

Create alert rules in Azure Monitor (optional)

You can create Azure Monitor alerts based on your exported Defender for Cloud data. These alerts let you automatically trigger actions, such as sending email notifications or creating ITSM tickets, when specific security events occur.

  1. Sign in to the Azure portal.

  2. Search for and select Monitor.

  3. Select Alerts.

  4. Select + Create > Alert rule.

    Screenshot that shows the Azure Monitor alerts page.

  5. Set up your new rule the same way you'd configure a log alert rule in Azure Monitor:

    • For Resource types, select the Log Analytics workspace to which you exported security alerts and recommendations.
    • For Condition, select Custom log search. In the page that appears, configure the query, lookback period, and frequency period. In the query, enter SecurityAlert or SecurityRecommendation.
    • Optionally, create an action group to trigger. Action groups can automate sending an email, creating an ITSM ticket, running a webhook, and more, based on an event in your environment.

After you save the rule, Defender for Cloud alerts or recommendations appear in Azure Monitor based on your continuous export configuration and alert rule conditions. If you’ve linked an action group, it triggers automatically when the rule criteria are met.

Next step

Download a CSV report