Forum Discussion
Log Analytics design considerations with Azure Sentinel & Azure Security Center
David,
This topic comes down to preference on the log ingestion you're wanting into Azure Sentinel, you're using your security services to provide alerts and auditing. Azure Sentinel then can connects the alerts and events together showing you a story(Cases) of how the event occurred providing filtered/relevant information. With that information, to eliminate noise or wanting to your own custom alerts to be triggered by joined data, we have the analytics within Azure Sentinel to setup a query to pull specific information that can be put into an playbook for automation.
To round back on a the question, if i'm wanting all event data within Azure Sentinel and Azure Security Center - Yes it can be ingested into the same workspace. You can have both raw events and alerts within the same workspace. With that being said you can share the same workspace or multi-home the agents.
Another thing missed often is we can query multiple workspaces as long as the user has access to each workspace. Example: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query#identifying-workspace-resources
If you're sharing the workspace, lets use Azure Security Center as an example, i'd advise setting up your own workspace compared to the default ASC workspace. After the configured workspace, enable Auto-provisioning of the MMA agents. The agents will be pointed to the ASC configured workspace (Example: "WorkSpaceTest").
Setting up Azure Sentinel, configure to use the same workspace "WorkSpaceTest", you'll now be getting the MMA collection of events and ASC Security Alerts within the same workspace as Azure Sentinel.
Hope this helped answer your question,
David,
This topic comes down to preference on the log ingestion you're wanting into Azure Sentinel, you're using your security services to provide alerts and auditing. Azure Sentinel then can connects the alerts and events together showing you a story(Cases) of how the event occurred providing filtered/relevant information. With that information, to eliminate noise or wanting to your own custom alerts to be triggered by joined data, we have the analytics within Azure Sentinel to setup a query to pull specific information that can be put into an playbook for automation.
To round back on a the question, if i'm wanting all event data within Azure Sentinel and Azure Security Center - Yes it can be ingested into the same workspace. You can have both raw events and alerts within the same workspace. With that being said you can share the same workspace or multi-home the agents.
Another thing missed often is we can query multiple workspaces as long as the user has access to each workspace. Example: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query#identifying-workspace-resources
If you're sharing the workspace, lets use Azure Security Center as an example, i'd advise setting up your own workspace compared to the default ASC workspace. After the configured workspace, enable Auto-provisioning of the MMA agents. The agents will be pointed to the ASC configured workspace (Example: "WorkSpaceTest").
Setting up Azure Sentinel, configure to use the same workspace "WorkSpaceTest", you'll now be getting the MMA collection of events and ASC Security Alerts within the same workspace as Azure Sentinel.
Hope this helped answer your question,
Chris Boehm Don’t forget that Sentinel can not be deployed on the ASC default workspaces. So you have to create your own.