Merge pull request #107452 from memildin/asc-melvyn-export

Reorged the EXPORT page and fixed some links

Author: shawnmariejones

articles/security-center/continuous-export.md

@@ -6,7 +6,7 @@ author: memildin
 manager: rkarlin
 ms.service: security-center
 ms.topic: conceptual
-ms.date: 11/04/2019
+ms.date: 03/13/2020
 ms.author: memildin
 
 ---
@@ -18,13 +18,16 @@ This article describes the set of (preview) tools that allow you to export alert
 
 Using these tools you can:
 
-* Generate detailed reports as CSV
-* Export to Log Analytics workspaces
-* Export to Azure Event Hubs (for integrations with third-party SIEMs)
+* Continuously export to Log Analytics workspaces
+* Continuously export to Azure Event Hubs (for integrations with third-party SIEMs)
+* Export to CSV (one time)
+
 
 ## Setting up a continuous export
 
-1. From Security Center's sidebar, click **Pricing & settings**.
+The steps below are necessary whether you're setting up a continuous export to Log Analytics workspace or Azure Event Hubs.
+
+1. From Security Center's sidebar, select **Pricing & settings**.
 
 1. Select the specific subscription for which you want to configure the data export.
 
@@ -33,13 +36,17 @@ Using these tools you can:
     [![Export options in Azure Security Center](media/continuous-export/continuous-export-options-page.png)](media/continuous-export/continuous-export-options-page.png#lightbox)
     Here you see the export options. There's a tab for each available export target. 
 
-1. Select the data type you’d like to export and choose from the filters on each type (for example, export only high severity alerts).
+1. Select the data type you'd like to export and choose from the filters on each type (for example, export only high severity alerts).
 
-1. From the “Export target” area, choose where you’d like the data saved. Data can be saved in a target on a different subscription (for example on a Central Event Hub instance or a central Log Analytics workspace).
+1. From the "Export target" area, choose where you'd like the data saved. Data can be saved in a target on a different subscription (for example on a Central Event Hub instance or a central Log Analytics workspace).
 
 1. Click **Save**.
 
-## Continuous export through Azure Event Hubs  
+
+
+## Configuring SIEM integration via Azure Event Hubs
+
+Azure Event Hubs is a great solution for programatically consuming any streaming data. For Azure Security Center alerts and recommendations, it's the preferred way to integrate with a third-party SIEM.
 
 > [!NOTE]
 > The most effective method to stream monitoring data to external tools in most cases is using Azure Event Hubs. [This article](https://docs.microsoft.com/azure/azure-monitor/platform/stream-monitoring-data-event-hubs) provides a brief description for how you can stream monitoring data from different sources to an Event Hub and links to detailed guidance.
@@ -49,24 +56,25 @@ Using these tools you can:
 
 To view the event schemas of the exported data types, visit the [Event Hub event schemas](https://aka.ms/ASCAutomationSchemas).
 
-### To integrate with a SIEM 
 
-After you have configured continuous export of your chosen Security Center data to Azure Event Hubs, you can set up the appropriate connector on your SIEM by following the instructions below.
+### To integrate with a SIEM 
 
-Follow the instructions relevant to your SIEM from [this page](https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/?cdn=disable) and use the relevant connector:
+After you have configured continuous export of your chosen Security Center data to Azure Event Hubs, you can set up the appropriate connector for your SIEM:
 
-* **Splunk** - Use the [Azure Monitor Add-On for Splunk](https://splunkbase.splunk.com/app/3534/)
-* **IBM QRadar** - Use [a manually configured log source](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_logsource_microsoft_azure_event_hubs.html)
+* **Azure Sentinel** - Use the native Azure Security Center alerts [data connector](https://docs.microsoft.com/azure/sentinel/connect-azure-security-center) offered there.
+* **Splunk** - Use the [Azure Monitor Add-On for Splunk](https://github.com/Microsoft/AzureMonitorAddonForSplunk/blob/master/README.md)
+* **IBM QRadar** - Use [a manually configured log source](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_dsm_guide_microsoft_azure_enable_event_hubs.html)
 * **ArcSight** – Use [SmartConnector](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292)
 
-If you're using **Azure Sentinel**, use the native Azure Security Center alerts [data connector](https://docs.microsoft.com/azure/sentinel/connect-azure-security-center) offered there.
-
 Also, if you'd like to move the continuously exported data automatically from your configured Event Hub to Azure Data Explorer, use the instructions in [Ingest data from Event Hub into Azure Data Explorer](https://docs.microsoft.com/azure/data-explorer/ingest-data-event-hub).
 
 
+
 ## Continuous export to a Log Analytics workspace
 
-To export to a Log Analytics workspace, you must have Security Center's free or standard tier Log Analytics solutions enabled on your workspace. If you're using the Azure portal, the Security Center free tier solution is automatically enabled when you enable continuous export. However, if you're configuring your continuous export settings programmatically, you must manually select the free or standard pricing tier for the required workspace from within **Pricing & settings**.  
+If you want to analyze Azure Security Center data inside a Log Analytics workspace or use Azure alerts together with Security Center, setup continuous export to your Log Analytics workspace.
+
+To export to a Log Analytics workspace, you must have Security Center's Log Analytics solutions enabled on your workspace. If you're using the Azure portal, Security Center's free tier solution is automatically enabled when you enable continuous export. However, if you're configuring your continuous export settings programmatically, you must manually select the free or standard pricing tier for the required workspace from within **Pricing & settings**.  
 
 ### Log Analytics tables and schemas