Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Jul 02, 2019
Solved

Log Analytics design considerations with Azure Sentinel & Azure Security Center

Based on this from @Yuri Diogenes what we're trying to do is understand the best way of implmenting Log Analytics to support both functions in the best way possible & ensuring we don't limit the func...
  • Chris Boehm's avatar
    Chris Boehm
    Jul 05, 2019

    David Caddick 

     

    David,

     

    This topic comes down to preference on the log ingestion you're wanting into Azure Sentinel, you're using your security services to provide alerts and auditing. Azure Sentinel then can connects the alerts and events together showing you a story(Cases) of how the event occurred providing filtered/relevant information. With that information, to eliminate noise or wanting to your own custom alerts to be triggered by joined data, we have the analytics within Azure Sentinel to setup a query to pull specific information that can be put into an playbook for automation. 

     

    To round back on a the question, if i'm wanting all event data within Azure Sentinel and Azure Security Center - Yes it can be ingested into the same workspace. You can have both raw events and alerts within the same workspace. With that being said you can share the same workspace or multi-home the agents.

     

    Another thing missed often is we can query multiple workspaces as long as the user has access to each workspace. Example: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query#identifying-workspace-resources 

     

    If you're sharing the workspace, lets use Azure Security Center as an example, i'd advise setting up your own workspace compared to the default ASC workspace. After the configured workspace, enable Auto-provisioning of the MMA agents. The agents will be pointed to the ASC configured workspace (Example: "WorkSpaceTest")

     

    Setting up Azure Sentinel, configure to use the same workspace "WorkSpaceTest", you'll now be getting the MMA collection of events and ASC Security Alerts within the same workspace as Azure Sentinel.

     

    Hope this helped answer your question,

     

     

     

     

     

David Caddick's avatar
David Caddick
Iron Contributor
Jul 07, 2019

Thanks Chris Boehm & Ofer_Shezaf,

 

That definately helps, and I guess the ultimate answer (like always) is it depends on what you are trying to achieve & in relation to your existing environment. For now we'll work thru this and see how we go.

 

I'll be up in Singapore for the RSA conference &catching up with MS folks the day before on a number of topics so will discuss this and the other foundational aspects of the MCRA (ATP's, MCAS, etc...) while up there - thanks for the replies, hopefully this info helps others with the design choices as well?

 

Dave C

Thuan Nguyen's avatar
Thuan Nguyen
MVP
Jul 26, 2019
Be aware of multi-homing approach with Linux. This is not actually supported. I think there is a big confused on where the log should be flew to when we have both Azure Security Center and Azure Sentinel.

Resources