Forum Discussion

ShimKwan's avatar
ShimKwan
Brass Contributor
Nov 03, 2020

Can Azure Sentinel monitor on-prem only?

Hi,   Imagine a scenario where a client only has on-prem, but are looking for a new SIEM/SOAR solution. They will remain on-prem for an unforeseeable future. Can a new Azure Tenant be spun up to ...
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Nov 03, 2020

ShimKwan Just thinking here...

 

Can this be done?  Sure. 

 

But, a few things to consider (off the top of my head)...

 

You still have to get all on-premises logs to Azure (Log Analytics workspace) - which means installing the agent where ever it's needed (workstations, Syslog server, servers, DCs, etc.)

 

You'd still need to deploy AD Connect to synch your on-prem AD with Azure AD to apply Azure Sentinel roles and other things.

 

The SOAR capability will be difficult. You'll need to install a gateway for Logic Apps on-prem:

 

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection 

 

But, I can't be sure which SOAR capabilities of Azure Sentinel will work on on-prem.

ShimKwan's avatar
ShimKwan
Brass Contributor
Nov 03, 2020

thank you both for replying 🙂

  • cstephensonc's avatar
    cstephensonc
    Copper Contributor
    Feb 06, 2023

    ShimKwan 

    So what was the final verdict on this one?  I am going down the same path now.

     

    Regards,

     

    Craig