Microsoft Defender for Cloud Integration Guide

This document is for continuous export from the Defender for Cloud pages in Azure portal.

Set up a Continuous Export

You can configure continuous export from the Microsoft Defender for Cloud pages in Azure portal, via the REST API, or at scale using the supplied Azure Policy templates. Select the appropriate tab below for details of each.

Configure Continuous Export from the Defender for Cloud Pages in Azure Portal

The steps below are necessary. Whether you're setting up a continuous export to Log Analytics workspace, or Azure Event Hubs.

  1. From Defender for Cloud's menu, open Environment settings.
  2. Select the specific subscription for which you want to configure the data export.
  3. From the sidebar of the settings page for that subscription, select Continuous Export.

    Here you see the export options. There's a tab for each available export target.

  4. Select the data type you'd like to export and choose from the filters on each type (for example, export only high severity alerts).
  5. Select the appropriate export frequency(Choose Streaming
    Streaming– assessments will be sent when a resource’s health state is updated (if no updates occur, no data will be sent).
    Snapshots– a snapshot of the current state of the selected data types will be sent once a week per subscription. To identify snapshot data, look for the field IsSnapshot.
  6. Optionally, if your selection includes one of these recommendations, you can include the vulnerability assessment findings together with them: 
    - SQL databases should have vulnerability findings resolved
    - SQL servers on machines should have vulnerability findings resolved
    - Container registry images should have vulnerability findings resolved (powered by Qualys)
    - Machines should have vulnerability findings resolved
    - System updates should be installed on your machines

    To include the findings with these recommendations, enable the include security findings option.

  7. From the "Export target" area, choose where you'd like the data saved. Choose event hub to send your data.
  8. Select Save.

Reference

https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal