Home
%3CLINGO-SUB%20id%3D%22lingo-sub-776064%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Azure%20Security%20Center%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776064%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3Ehello%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EIs%20it%20possible%20to%20connect%20azure%20sentinel%20for%20multiple%20azure%20ad%20tenants%2C%20so%20we%20can%20control%20and%20audit%20a%20different%20directory%2C%20which%20is%20not%20under%20the%20tenanted%20generated%20by%20sentinel%20workspace%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-779576%22%20slang%3D%22en-US%22%3ERe%3A%20Integrating%20Azure%20Security%20Center%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-779576%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383054%22%20target%3D%22_blank%22%3E%40oshrih7145%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERecently%20we%20announced%20Azure%20Lighthouse%20(see%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fconcepts%2Fcross-tenant-management-experience%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fconcepts%2Fcross-tenant-management-experience%3C%2FA%3E%3C%2FFONT%3Efor%20more%20info)%2C%20and%20this%20enables%20Azure%20Sentinel%20for%20the%20multi-tenant%20scenario.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482847%22%20slang%3D%22en-US%22%3EIntegrating%20Azure%20Security%20Center%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482847%22%20slang%3D%22en-US%22%3E%3CP%3EBefore%20explaining%20how%20Azure%20Security%20Center%20integrates%20with%20Azure%20Sentinel%2C%20it%20is%20very%20important%20to%20understand%20the%20use%20case%20of%20each%20one%20of%20those%20solutions.%20Knowing%20how%20to%20positioning%20them%2C%20will%20help%20you%20to%20understand%20the%20key%20problems%20that%20each%20solution%20is%20addressing%20and%20how%20this%20reflects%20to%20your%20own%20scenario.%3C%2FP%3E%0A%3CP%3EAzure%20Security%20Center%20can%20be%20categorized%20as%20a%20Cloud%20Security%20Posture%20Management%20(CSPM)%20and%20Cloud%20Workload%20Protection%20Platform%20(CWPP).%20These%20platforms%20are%20composed%20by%20an%20aggregation%20of%20different%20capabilities%20as%20shown%20in%20the%20diagram%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111390i6CE379657E12E6FD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22diagram.PNG%22%20title%3D%22diagram.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecurity%20Center%20has%20several%20features%20that%20can%20be%20mapped%20to%20those%20capabilities%2C%20and%20you%20can%20find%20the%20entire%20list%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-os-coverage%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%20The%20diagram%20above%20also%20shows%20that%20Security%20Center%20has%20CSPM%20and%20CWPP%20capabilities%20for%20IaaS%2C%20PaaS%20and%20hybrid%20workloads.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3ENote%3C%2FEM%3E%3C%2FSTRONG%3E%3CEM%3E%3A%20for%20more%20information%20about%20the%20importance%20of%20CSPM%20and%20CWPP%20to%20manage%20visibility%20and%20control%20of%20your%20cloud%20workloads%2C%20read%20%3CA%20href%3D%22https%3A%2F%2Flnkd.in%2Fe2vaSec%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20that%20I%20wrote%20for%20the%20ISSA%20Journal.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20in%20other%20hand%20is%20a%20cloud-native%20Security%20Information%20and%20Event%20Management%20(SIEM)%20and%20Security%20Orchestration%2C%20Automation%20and%20Response%20(SOAR)%20tool.%20Azure%20Sentinel%E2%80%99s%20role%20is%20to%20ingest%20data%20from%20different%20data%20sources%20and%20perform%20data%20correlation%20across%20these%20data%20sources.%20On%20top%20of%20that%2C%20Azure%20Sentinel%20leverages%20intelligent%20security%20analytics%20and%20threat%20intelligence%20to%20help%20with%20alert%20detection%2C%20threat%20visibility%2C%20proactive%20hunting%2C%20and%20threat%20response.%20The%20diagram%20below%20shows%20how%20Azure%20Sentinel%20is%20positioned%20across%20different%20data%20sources%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110284iE03C1AE8860B6DF0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig2.PNG%22%20title%3D%22Fig2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIntegrating%20Security%20Center%20with%20Azure%20Sentinel%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20you%20configure%20this%20integration%2C%20the%20%3CEM%3ESecurity%20Alerts%3C%2FEM%3E%20generated%20by%20Security%20Center%20will%20be%20streamed%20to%20Azure%20Sentinel.%20You%20only%20need%20to%20follow%20a%20few%20steps%20to%20configure%20this%20integration%2C%20and%20you%20can%20follow%20those%20steps%20by%20reading%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-security-center%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%20Once%20the%20integration%20is%20configured%2C%20the%20alerts%20generated%20by%20Security%20Center%20will%20start%20appearing%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEnd-to-end%20visibility%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOne%20advantage%20of%20using%20Azure%20Sentinel%20as%20your%20SIEM%20is%20the%20capability%20to%20have%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fusion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edata%20correlation%3C%2FA%3E%20across%20data%20sources%2C%20which%20enables%20you%20to%20have%20an%20end-to-end%20visibility%20of%20the%20security%20related%20events%2C%20as%20shown%20in%20the%20diagram%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110285i834517DC37A5BA93%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig3.PNG%22%20title%3D%22Fig3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20example%2C%20Azure%20Sentinel%20created%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-investigate-cases%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ecase%3C%2FA%3E%20based%20on%20data%20correlation%20that%20is%20coming%20from%20different%20Microsoft%20products.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-482847%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Before explaining how Azure Security Center integrates with Azure Sentinel, it is very important to understand the use case of each one of those solutions. Knowing how to positioning them, will help you to understand the key problems that each solution is addressing and how this reflects to your own scenario.

Azure Security Center can be categorized as a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP). These platforms are composed by an aggregation of different capabilities as shown in the diagram below:

 

diagram.PNG

 

Security Center has several features that can be mapped to those capabilities, and you can find the entire list in this article. The diagram above also shows that Security Center has CSPM and CWPP capabilities for IaaS, PaaS and hybrid workloads.

 

Note: for more information about the importance of CSPM and CWPP to manage visibility and control of your cloud workloads, read this article that I wrote for the ISSA Journal.

 

Azure Sentinel in other hand is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tool. Azure Sentinel’s role is to ingest data from different data sources and perform data correlation across these data sources. On top of that, Azure Sentinel leverages intelligent security analytics and threat intelligence to help with alert detection, threat visibility, proactive hunting, and threat response. The diagram below shows how Azure Sentinel is positioned across different data sources:

 

Fig2.PNG

 

Integrating Security Center with Azure Sentinel

When you configure this integration, the Security Alerts generated by Security Center will be streamed to Azure Sentinel. You only need to follow a few steps to configure this integration, and you can follow those steps by reading this article. Once the integration is configured, the alerts generated by Security Center will start appearing in Azure Sentinel.

 

End-to-end visibility

One advantage of using Azure Sentinel as your SIEM is the capability to have data correlation across data sources, which enables you to have an end-to-end visibility of the security related events, as shown in the diagram below:

 

Fig3.PNG

 

In this example, Azure Sentinel created a case based on data correlation that is coming from different Microsoft products. 

2 Comments
Occasional Visitor

hello
Is it possible to connect azure sentinel for multiple azure ad tenants, so we can control and audit a different directory, which is not under the tenanted generated by sentinel workspace ?

Microsoft

Hello @oshrih7145 

Recently we announced Azure Lighthouse (see https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience for more info), and this enables Azure Sentinel for the multi-tenant scenario.