Set Up Continuous Export

Implementation Effort: Medium – This setup requires configuration by security administrators and may involve coordination with SIEM/SOAR teams or Log Analytics owners.

User Impact: Low – This is a backend integration task; end users are not directly affected.

Overview

Setting up continuous export in Microsoft Defender for Cloud enables organizations to stream or periodically export security alerts and recommendations to external systems such as Azure Log Analytics, Azure Event Hubs, or third-party SIEM/SOAR platforms. This allows for deeper analysis, long-term retention, and integration with incident response workflows.

Administrators can configure exports to stream data in real time (when a resource’s health state changes) or send weekly snapshots. Filters can be applied to export only specific data types, such as high-severity alerts or specific compliance assessments. Export can be configured via the Azure portal, REST API, or at scale using Azure Policy templates.

This capability supports the Zero Trust principle of "Assume Breach" by ensuring that security data is continuously monitored and available for advanced analytics, threat hunting, and automated response.

Reference

• Set up continuous export in the Azure portal – Microsoft Defender for Cloud
• Set up continuous export with REST API – Microsoft Defender for Cloud
• Export to Event Hub behind a firewall – Microsoft Defender for Cloud