MicrosoftDocs
diff --git a/‎articles/defender-for-cloud/TOC.yml
Lines changed: 25 additions & 9 deletions b/‎articles/defender-for-cloud/TOC.yml
Lines changed: 25 additions & 9 deletions
diff --git a/‎articles/defender-for-cloud/benefits-of-continuous-export.md
Lines changed: 80 additions & 0 deletions b/‎articles/defender-for-cloud/benefits-of-continuous-export.md
Lines changed: 80 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/continuous-export-azure-policy.md
Lines changed: 67 additions & 0 deletions b/‎articles/defender-for-cloud/continuous-export-azure-policy.md
Lines changed: 67 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/continuous-export-event-hub-firewall.md
Lines changed: 62 additions & 0 deletions b/‎articles/defender-for-cloud/continuous-export-event-hub-firewall.md
Lines changed: 62 additions & 0 deletions
diff --git a/‎articles/defender-for-cloud/continuous-export-rest-api.md
Lines changed: 62 additions & 0 deletions b/‎articles/defender-for-cloud/continuous-export-rest-api.md
Lines changed: 62 additions & 0 deletions
@@ -281,7 +281,9 @@
             - name: Incidents reference list
               displayName: incidents
               href: incidents-reference.md
-
+        - name: Exporting alerts and recommendations with continuous export
+          displayName: continuous, export, exportable, exportable data
+          href: benefits-of-continuous-export.md
 
 - name: How-to guides
   items:
@@ -419,15 +421,29 @@
             - name: Prepare Azure resources for exporting to Splunk and QRadar
               displayName: azure, resources, Splunk, QRadar
               href: export-to-splunk-or-qradar.md
-            - name: Export to a Log Analytics workspace or Azure Event Hubs
-              displayName: continuous, log analytics, workspace, event hubs, azure
-              href: continuous-export.md
-            - name: Download a CSV report of all alerts
+            - name: Continuous export
+              items:
+              - name: Setup continuous export in the Azure portal
+                displayName: continuous, log analytics, workspace, event hubs, azure
+                href: continuous-export.md
+              - name: Setup continuous export with REST API
+                displayName: continuous, setup, export
+                href: continuous-export-rest-api.md
+              - name: Setup continuous export with Azure policy
+                displayName: continuous, setup, export, policy
+                href: continuous-export-azure-policy.md
+              - name: Continuous export to an event hub behind a firewall
+                displayName: continuous, export, event hub, firewall
+                href: continuous-export-event-hub-firewall.md
+              - name: View exported data in Azure Monitor
+                displayName: continuous, view, exported, data, monitor
+                href: continuous-export-view-data.md
+            - name: Download a CSV report
               displayName: CSV report, alerts
-              href: continuous-export.md#manual-one-time-export-of-alerts-and-recommendations
-            - name: Alerts schemas
-              displayName: Alerts schemas
-              href: alerts-schemas.md
+              href: export-alerts-to-csv.md
+        - name: Alerts schemas
+          displayName: Alerts schemas
+          href: alerts-schemas.md
         - name: Manage security incidents
           displayName: security incidents
           href: incidents.md
 
@@ -0,0 +1,80 @@
+---
+title: Exporting alerts and recommendations with continuous export
+description: Learn about the benefits of continuous export in Microsoft Defender for Cloud. Stream security data to Azure Monitor workspace for analysis and visualization.
+ms.date: 03/25/2024
+author: dcurwin
+ms.author: dacurwin
+ms.topic: concept-article
+#customer intent: As a reader, I want to understand the benefits of continuous export in Microsoft Defender for Cloud so that I can make informed decisions about implementing it in my organization.
+---
+
+# Exporting alerts and recommendations with continuous export
+
+Microsoft Defender for Cloud provides continuous export of security data. This feature allows you to stream security data to Log Analytics in Azure Monitor, to Azure Event Hubs, or to another Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), or IT classic [deployment model solution](export-to-siem.md). You can analyze and visualize the data using Azure Monitor logs and other Azure Monitor features.
+
+When you set up continuous export, you can fully customize what information to export and where the information goes. For example, you can configure it so that:
+
+- All high-severity alerts are sent to an Azure event hub.
+- All medium or higher-severity findings from vulnerability assessment scans of your computers running SQL Server are sent to a specific Log Analytics workspace.
+- Specific recommendations are delivered to an event hub or Log Analytics workspace whenever they're generated.
+- The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more.
+
+## What data types can be exported?
+
+You can use continuous export to export the following data types whenever they change:
+
+- Security recommendations.
+    - Recommendation severity.
+    - Security findings.
+- Secure score.
+    - Controls.
+- Security alerts.
+- Regulatory compliance.
+- Attack paths
+
+Recommendation severity, security findings and controls are *sub* categories that belong to a *parent* category. For example:
+
+- The recommendations [System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e1145ab1-eb4f-43d8-911b-36ddf771d13f) and [System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27) each has one sub recommendation per outstanding system update.
+- The recommendation [Machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1195afff-c881-495e-9bc5-1486211ae03f) has a sub recommendation for every vulnerability that the vulnerability scanner identifies.
+
+> [!NOTE]
+> If you’re configuring [continuous export by using the REST API](continuous-export-rest-api.md), always include the parent with the findings.
+
+## Export data to an event hub or Log Analytics workspace in another tenant
+
+You *can't* configure data to be exported to a Log Analytics workspace in another tenant if you use Azure Policy to assign the configuration. This process works only when you use the REST API to assign the configuration, and the configuration is unsupported in the Azure portal (because it requires a multitenant context). Azure Lighthouse *doesn't* resolve this issue with Azure Policy, although you can use Azure Lighthouse as the authentication method.
+
+When you collect data in a tenant, you can analyze the data from one, central location.
+
+To export data to an event hub or Log Analytics workspace in a different tenant:
+
+- In the tenant that has the event hub or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-portal) from the tenant that hosts the continuous export configuration, or you can configure Azure Lighthouse for the source and destination tenant.
+
+- If you use business-to-business (B2B) guest user access in Microsoft Entra ID, ensure that the user accepts the invitation to access the tenant as a guest.
+
+- If you use a Log Analytics workspace, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, or Monitoring Contributor.
+
+- Create and submit the request to the Azure REST API to configure the required resources. You must manage the bearer tokens in both the context of the local (workspace) tenant and the remote (continuous export) tenant.
+
+## Export to a Log Analytics workspace
+
+If you want to analyze Microsoft Defender for Cloud data inside a Log Analytics workspace or use Azure alerts together with Defender for Cloud alerts, set up continuous export to your Log Analytics workspace.
+
+### Log Analytics tables and schemas
+
+Security alerts and recommendations are stored in the **SecurityAlert** and **SecurityRecommendation** tables respectively.
+
+The name of the Log Analytics solution that contains these tables depends on whether you enabled the enhanced security features: Security (the Security and Audit solution) or SecurityCenterFree.
+
+> [!TIP]
+> To see the data on the destination workspace, you must enable one of these solutions: Security and Audit or SecurityCenterFree.
+
+:::image type="content" source="media/benefits-of-continuous-export/log-analytics-securityalert-solution.png" alt-text="Screenshot that shows the SecurityAlert table in Log Analytics.":::
+
+To view the event schemas of the exported data types, see [Log Analytics table schemas](https://aka.ms/ASCAutomationSchemas).
+
+## Related content
+
+- [Set up continuous export in the Azure portal](continuous-export.md)
+- [Set up continuous export with REST API](continuous-export-rest-api.md)
+- [Set up continuous export with Azure Policy](continuous-export-azure-policy.md)
@@ -0,0 +1,67 @@
+---
+title: Set up continuous export with Azure Policy
+description: Learn how to set up continuous export of Microsoft Defender for Cloud security alerts and recommendations with Azure Policy.
+author: dcurwin
+ms.author: dacurwin
+ms.topic: how-to
+ms.date: 03/20/2024
+#customer intent: As a security analyst, I want to learn how to set up continuous export of alerts and recommendations with Azure Policy so that I can analyze the data in Log Analytics or Azure Event Hubs.
+---
+
+# Set up continuous export with Azure Policy
+
+Continuous export of Microsoft Defender for Cloud security alerts and recommendations can help you analyze the data in Log Analytics or Azure Event Hubs. You can set up continuous export in Defender for Cloud at scale, by using provided Azure Policy templates.
+
+> [!TIP]
+> Defender for Cloud also offers the option to do a onetime, manual export to a comma-separated values (CSV) file. Learn how to [download a CSV file](export-alerts-to-csv.md).
+
+## Prerequisites
+
+- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free subscription](https://azure.microsoft.com/pricing/free-trial/).
+
+- You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription.
+
+Required roles and permissions:
+- Security Admin or Owner for the resource group
+- Write permissions for the target resource.
+- If you use the [Azure Policy DeployIfNotExist policies](#set-up-continuous-export-at-scale-with-azure-policy), you must have permissions that let you assign policies.
+- To export data to Event Hubs, you must have Write permissions on the Event Hubs policy.
+- To export to a Log Analytics workspace: 
+    - If it *has the SecurityCenterFree solution*, you must have a minimum of Read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`.
+    - If it *doesn't have the SecurityCenterFree solution*, you must have write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action`.
+    
+    Learn more about [Azure Monitor and Log Analytics workspace solutions](/previous-versions/azure/azure-monitor/insights/solutions).
+
+## Set up continuous export at scale with Azure Policy
+
+Automating your organization's monitoring and incident response processes can help you reduce the time it takes to investigate and mitigate security incidents.
+
+To deploy your continuous export configurations across your organization, use the provided Azure Policy `DeployIfNotExist` policies to create and configure continuous export procedures.
+
+To implement these policies:
+
+1. Select a policy to apply:
+
+    |Goal  |Policy  |Policy ID  |
+    |---------|---------|---------|
+    |Continuous export to Event Hubs|[Deploy export to Event Hubs for Microsoft Defender for Cloud alerts and recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fcdfcce10-4578-4ecd-9703-530938e4abcb)|cdfcce10-4578-4ecd-9703-530938e4abcb|
+    |Continuous export to Log Analytics workspace|[Deploy export to Log Analytics workspace for Microsoft Defender for Cloud alerts and recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fffb6f416-7bd2-4488-8828-56585fef2be9)|ffb6f416-7bd2-4488-8828-56585fef2be9|
+
+1. Select **Assign**.
+
+    :::image type="content" source="./media/continuous-export-azure-policy/export-policy-assign.png" alt-text="Screenshot that shows assigning the Azure Policy.":::
+
+1. Select each tab and set the parameters to meet your requirements:
+
+    1. On the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the management group that contains the subscriptions that use the continuous export configuration.
+
+    1. On the **Parameters** tab, set the resource group name, location and Event Hub details.
+
+    1. Optionally, to apply this assignment to existing subscriptions, select the **Remediation** tab, and then select the option to create a remediation task.
+
+1. Review the summary page, and then select **Create**.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Setup continuous export to an event hub behind a firewall](continuous-export-event-hub-firewall.md)
@@ -0,0 +1,62 @@
+---
+title: Set up continuous export to an event hub behind a firewall
+description: Learn how to set up continuous export of Microsoft Defender for Cloud security alerts and recommendations to an event hub behind a firewall.
+author: dcurwin
+ms.author: dacurwin
+ms.topic: how-to
+ms.date: 03/20/2024
+#customer intent: As a security analyst, I want to learn how to set up continuous export of alerts and recommendations to an event hub behind a firewall so that I can analyze the data in Log Analytics or Azure Event Hubs.
+---
+
+# Set up continuous export to an event hub behind a firewall
+
+In a situation where an event hub is behind a firewall, you can enable continuous export as a trusted service so that you can send data to the event hub.
+
+## Prerequisites
+
+- [Set up continuous export in the Azure portal](continuous-export.md) or [set up continuous export with Azure Policy](continuous-export-azure-policy.md) or [set up continuous export with REST API](continuous-export-rest-api.md).
+
+## Set up continuous export to the eventhub
+
+You can enable continuous export as a trusted service so that you can send data to an event hub that has Azure Firewall enabled.
+
+**To grant access to continuous export as a trusted service**:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Go to **Microsoft Defender for Cloud** > **Environmental settings**.
+
+1. Select the relevant resource.
+
+1. Select **Continuous export**.
+
+1. Select **Export as a trusted service**.
+
+    :::image type="content" source="media/continuous-export-event-hub-firewall/export-as-trusted.png" alt-text="Screenshot that shows where the checkbox is located to select export as trusted service.":::
+
+## Add the relevant role assignment to the destination event hub.
+
+To add the relevant role assignment to the destination event hub:
+
+1. Go to the selected event hub.
+
+1. In the resource menu, select **Access control (IAM)** > **Add role assignment**.
+
+    :::image type="content" source="media/continuous-export-event-hub-firewall/add-role-assignment.png" alt-text="Screenshot that shows the Add role assignment button." lightbox="media/continuous-export-event-hub-firewall/add-role-assignment.png":::
+
+1. Select **Azure Event Hubs Data Sender**.
+
+1. Select the **Members** tab.
+
+1. Choose **+ Select members**.
+
+1. Search for and then select **Windows Azure Security Resource Provider**.
+
+    :::image type="content" source="media/continuous-export-event-hub-firewall/windows-security-resource.png" alt-text="Screenshot that shows you where to enter and search for Microsoft Azure Security Resource Provider." lightbox="media/continuous-export-event-hub-firewall/windows-security-resource.png":::
+
+1. Select **Review + assign**.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [View exported data in Azure Monitor](continuous-export-view-data.md)
@@ -0,0 +1,62 @@
+---
+title: Set up continuous export with REST API
+description: Learn how to set up continuous export of Microsoft Defender for Cloud security alerts and recommendations with REST API.
+author: dcurwin
+ms.author: dacurwin
+ms.topic: how-to
+ms.date: 03/19/2024
+# customer intent: As a reader, I want to learn how to set up continuous export of Microsoft Defender for Cloud security alerts and recommendations using the REST API, so that I can integrate it into my own applications.
+---
+
+# Set up continuous export with REST API
+
+Continuous export of Microsoft Defender for Cloud security alerts and recommendations can help you analyze the data in Log Analytics or Azure Event Hubs. You can set up continuous export in Defender for Cloud by using the REST API.
+
+> [!TIP]
+> Defender for Cloud also offers the option to do a onetime, manual export to a comma-separated values (CSV) file. Learn how to [download a CSV file](export-alerts-to-csv.md).
+
+## Prerequisites
+
+- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free subscription](https://azure.microsoft.com/pricing/free-trial/).
+
+- You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription.
+
+Required roles and permissions:
+- Security Admin or Owner for the resource group
+- Write permissions for the target resource.
+- If you use the [Azure Policy DeployIfNotExist policies](continuous-export-azure-policy.md), you must have permissions that let you assign policies.
+- To export data to Event Hubs, you must have Write permissions on the Event Hubs policy.
+- To export to a Log Analytics workspace: 
+    - If it *has the SecurityCenterFree solution*, you must have a minimum of Read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`.
+    - If it *doesn't have the SecurityCenterFree solution*, you must have write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action`.
+    
+    Learn more about [Azure Monitor and Log Analytics workspace solutions](/previous-versions/azure/azure-monitor/insights/solutions).
+
+### Set up continuous export by using the REST API
+
+You can set up and manage continuous export by using the Microsoft Defender for Cloud [automations API](/rest/api/defenderforcloud/automations). Use this API to create or update rules for exporting to any of the following destinations:
+
+- Azure Event Hubs
+- Log Analytics workspace
+- Azure Logic Apps
+
+You also can send the data to an [event hub or Log Analytics workspace in a different tenant](benefits-of-continuous-export.md#export-data-to-an-event-hub-or-log-analytics-workspace-in-another-tenant).
+
+> [!NOTE]
+> If you’re configuring continuous export by using the REST API, always include the parent with the findings.
+
+Here are some examples of options that you can use only in the API:
+
+- **Greater volume**: You can create multiple export configurations on a single subscription by using the API. The **Continuous Export** page in the Azure portal supports only one export configuration per subscription.
+
+- **Additional features**: The API offers parameters that aren't shown in the Azure portal. For example, you can add tags to your automation resource and define your export based on a wider set of alert and recommendation properties than the ones that are offered on the **Continuous export** page in the Azure portal.
+
+- **Focused scope**: The API offers you a more granular level for the scope of your export configurations. When you define an export by using the API, you can define it at the resource group level. If you're using the **Continuous export** page in the Azure portal, you must define it at the subscription level.
+
+    > [!TIP]
+    > These API-only options are not shown in the Azure portal. If you use them, a banner informs you that other configurations exist.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Set up continuous export with Azure Policy](continuous-export-azure-policy.md)