Before explaining how Azure Security Center integrates with Azure Sentinel, it is very important to understand the use case of each one of those solutions. Knowing how to positioning them, will help you to understand the key problems that each solution is addressing and how this reflects to your own scenario.
Azure Security Center can be categorized as a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP). These platforms are composed by an aggregation of different capabilities as shown in the diagram below:
Security Center has several features that can be mapped to those capabilities, and you can find the entire list in this article. The diagram above also shows that Security Center has CSPM and CWPP capabilities for IaaS, PaaS and hybrid workloads.
Note: for more information about the importance of CSPM and CWPP to manage visibility and control of your cloud workloads, read this article that I wrote for the ISSA Journal.
Azure Sentinel in other hand is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tool. Azure Sentinel’s role is to ingest data from different data sources and perform data correlation across these data sources. On top of that, Azure Sentinel leverages intelligent security analytics and threat intelligence to help with alert detection, threat visibility, proactive hunting, and threat response. The diagram below shows how Azure Sentinel is positioned across different data sources:
Integrating Security Center with Azure Sentinel
When you configure this integration, the Security Alerts generated by Security Center will be streamed to Azure Sentinel. You only need to follow a few steps to configure this integration, and you can follow those steps by reading this article. Once the integration is configured, the alerts generated by Security Center will start appearing in Azure Sentinel.
One advantage of using Azure Sentinel as your SIEM is the capability to have data correlation across data sources, which enables you to have an end-to-end visibility of the security related events, as shown in the diagram below:
In this example, Azure Sentinel created a case based on data correlation that is coming from different Microsoft products.