Forum Discussion
Can Azure Sentinel monitor on-prem only?
ShimKwan Just thinking here...
Can this be done? Sure.
But, a few things to consider (off the top of my head)...
You still have to get all on-premises logs to Azure (Log Analytics workspace) - which means installing the agent where ever it's needed (workstations, Syslog server, servers, DCs, etc.)
You'd still need to deploy AD Connect to synch your on-prem AD with Azure AD to apply Azure Sentinel roles and other things.
The SOAR capability will be difficult. You'll need to install a gateway for Logic Apps on-prem:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection
But, I can't be sure which SOAR capabilities of Azure Sentinel will work on on-prem.
- Thijs LecomteNov 03, 2020Bronze ContributorI agree with Rod here.
Yes it's possible to use it entirely on-prem. You don't even need AAD Connect, you can just use cloud users if you want. But the real benefit of Azure Sentinel is in the tight integration with our cloud services.
What is your reasoning with going for Sentinel?- ShimKwanNov 03, 2020Brass Contributor
Thijs Lecomteyou wrote: "You don't even need AAD Connect, you can just use cloud users if you want."
In this scenario, there is not Cloud presence, there are no Cloud users. Everything is on-prem. We are just trying to determine whether Sentinel will be able to deliver both SIEM and SOAR capabilities to an on-prem only environment.
The client in question is not satisfied with their existing SIEM solution and is look for a more modern alternative, hence Sentinel on the discussion table.
- ShimKwanNov 03, 2020Brass Contributor
thank you both for replying 🙂
- cstephensoncFeb 06, 2023Copper Contributor
So what was the final verdict on this one? I am going down the same path now.
Regards,
Craig