将警报流式传输到 SIEM、SOAR 或 IT 服务管理解决方案Stream alerts to a SIEM, SOAR, or IT Service Management solution

Azure 安全中心可以将安全警报流式传输到最常用的安全信息和事件管理 (SIEM)、安全业务流程自动响应 (SOAR) 和 IT 服务管理 (ITSM) 解决方案中。Azure Security Center can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.

Azure 本机工具可确保你可以查看当前使用的所有最常用解决方案中的警报数据,其中包括:There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:

  • Splunk Enterprise and Splunk CloudSplunk Enterprise and Splunk Cloud
  • IBM 的 QRadarIBM's QRadar
  • ServiceNowServiceNow
  • ArcSightArcSight
  • Power BIPower BI
  • Palo Alto NetworksPalo Alto Networks

使用 Microsoft Graph 安全性 API 流式传输警报Stream alerts with Microsoft Graph Security API

安全中心具有与 Microsoft Graph 安全性 API 的现成集成。Security Center has out-of-the-box integration with Microsoft Graph Security API. 无需进行配置,也不需要额外的费用。No configuration is required and there are no additional costs.

可以使用此 API 将警报从整个租户(以及许多其他 Microsoft 安全产品的数据)流式传输到第三方 SIEM 和其他常用平台:You can use this API to stream alerts from your entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:

详细了解 Microsoft Graph 安全性 APILearn more about Microsoft Graph Security API.

使用 Azure Monitor 流式传输警报Stream alerts with Azure Monitor

若要将警报流式传输到 ArcSight、Splunk、SumoLogic、Syslog 服务器、LogRhythm、Logz.io Cloud Observability Platform 和其他监视解决方案 。To stream alerts into ArcSight, Splunk, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions. 请通过 Azure 事件中心连接安全中心与 Azure monitor:connect Security Center with Azure monitor via Azure Event Hubs:

  1. 启用连续导出,以在订阅级别将安全中心警报流式传输到专用 Azure 事件中心。Enable continuous export to stream Security Center alerts into a dedicated Azure Event Hub at the subscription level.

    提示

    若要在管理组级别使用 Azure Policy 执行此操作,请参阅大规模创建连续导出自动化配置To do this at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale

  2. 使用 Azure Monitor 的内置连接器将 Azure 事件中心连接到首选解决方案Connect the Azure Event hub to your preferred solution using Azure Monitor's built-in connectors.

  3. (可选)将原始日志流式传输到 Azure 事件中心并连接到首选解决方案。Optionally, stream the raw logs to the Azure Event Hub and connect to your preferred solution. 有关详细信息,请参阅提供的监视数据Learn more in Monitoring data available.

提示

若要查看导出的数据类型的事件架构,请访问事件中心事件架构To view the event schemas of the exported data types, visit the Event Hub event schemas.

后续步骤Next steps

本页介绍了如何确保你的 Azure 安全中心警报数据在所选的 SIEM、SOAR 或 ITSM 工具中可用。This page explained how to ensure your Azure Security Center alert data is available in your SIEM, SOAR, or ITSM tool of choice. 如需查看相关材料,请参阅:For related material, see: