Forum Discussion

Ryan Heffernan's avatar
Ryan Heffernan
Icon for Microsoft rankMicrosoft
Feb 22, 2019
Solved

Join Our Azure Sentinel Community

Visit Our Blog   Now that we have announced Azure Sentinel, we'd like to invite you to speak directly to our engineering team. We believe that the best way to improve our products is by having ...
  • Chris Boehm's avatar
    Chris Boehm
    Mar 28, 2019

    David Caddick 

     

    Please continue providing feedback here on the Azure Sentinel Communities, if you're specifically asking for a feature request on a product go here. 

    https://feedback.azure.com/forums/920458-azure-sentinel

     

    referencing Ryan's Community post : https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Join-Our-Security-Community/m-p/311170

     

    "

    We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no barriers between you and the people that create them. That's why we need your participation in our security community.

     

    As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining webinars and calls, or attending in-person events. 

     

    Join Us

    To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below.

    "

     

     

AndrewX's avatar
AndrewX
Iron Contributor
Jun 20, 2019
Thanks for these excellent tooling. We enable and integrated with AAD, O365, Security Center day we heard about it and very cool so far.. I am still a bit muddy though on how my existing non-azure oms agent hosts that currently send data to an existing log analytics workspace, and how the agents gets data to ATP, Security Centre send data to Sentinel. What's the best practice for agent install on hosts to get data to all the security portals?
Chris Boehm's avatar
Chris Boehm
Former Employee
Jun 20, 2019

AndrewX 

 

I believe this comes down to where you're needing the data, the OMS agent can be multihomed

https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/

 

This allows you to send data to multiple different workspaces. Be aware you'll be charged twice for the data.

 

If you're wanting to take advantage of the services you're already paying for you should have something like this, I'm going to be using Azure Security Center as an example.

 

Server -> MMA/OMS Agent--> Azure Security Center --> Azure Sentinel

This way you'll still have all the data within Azure Security Center's Workspace, you'll get security related alerts ingested into Azure Sentinel.

 

You can take another approach as to having Azure Sentinel and Azure Security Center together by using the same workspace.

 

Server -> MMA/OMS Agent -> Workspace(Azure Security Center/Azure Sentinel)

 

You'll see a lot more raw events this way, get Azure Security Center benefits within the same workspace, but still able to use the investigation/alerts/automation with Azure Sentinel with the additional information. 

 

Hope this helped answer your question

 

 

 

 

Resources