Forum Discussion

damianborrowell's avatar
damianborrowell
Copper Contributor
Jul 27, 2020

Adopting Sentinel into an existing Azure Cloud environment

I'm reasonably new to Azure as a whole, and I've been really enjoying playing with Sentinel so far, but the time has come to deploy it in a more formal manner. I've got an open question about the Log...
analytics
CliveWatson's avatar
CliveWatson
Former Employee
Jul 28, 2020

damianborrowell 

 

Hello, having App Insights in a workspace with Azure monitor logs is a preview feature: https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource#:~:text=%20Workspace-based%20Application%20Insights%20resources%20%28preview%29%20%201,workspace-based%20Application%20Insights%20resource%20has%20been...%20More%20

 

Typically today we have one or more workspaces for Logs and that is then associated with Azure Sentinel.  

Reading between the lines, it seems as though if we have a single Log Analytics workspace that is used by Sentinel and AI, all our in-house application logs would be ingested into (or otherwise queryable by) Sentinel. However, I'm not positive this is true.


Azure Sentinel doesn't do ingestion (Log Analytics does that); Sentinel provides security analytics / insights onto that data.  If Azure Sentinel sees data from Logs and AI it will analyze it / allow you to query it.

I recall reading something a few days back that indicated the LA workspace for Sentinel should be dedicated to Sentinel

That could be a option, however people sometimes separate Operational logs (and maybe application logs) as they can have low security value and you maybe you don't want Azure Sentinel to charge you to analyze those sources (per GB/day).  e.g.
Sentinel makes use of a lot of the PaaS log sources and logs from ASC (SecurityEvents) etc...  data in the Perf table may not have such high security value (but it will to the Operation team), that's why you often see Perf in another workspace.


If we create a new LA workspace to use with Sentinel, will we still be able to use this workspace to create more traditional infrastructure/development dashboards and alerts?

 

Yes, the underlying query language and capability is still there.  So you can build an Azure Dashboard on the data (Log Analytics or Azure Sentinel), or use KQL to query, or build a Workbook to visualise the data - Workbooks are delivered by Azure Monitor but you see them in many portal blades such as Azure Sentinel.

Modules 2-4 will help you from the Azure Sentinel training: https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310