Adopting Sentinel into an existing Azure Cloud environment

%3CLINGO-SUB%20id%3D%22lingo-sub-1548390%22%20slang%3D%22en-US%22%3EAdopting%20Sentinel%20into%20an%20existing%20Azure%20Cloud%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548390%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20reasonably%20new%20to%20Azure%20as%20a%20whole%2C%20and%20I've%20been%20really%20enjoying%20playing%20with%20Sentinel%20so%20far%2C%20but%20the%20time%20has%20come%20to%20deploy%20it%20in%20a%20more%20formal%20manner.%20I've%20got%20an%20open%20question%20about%20the%20Log%20Analytics%20workspace%20that%20is%20proving%20more%20difficult%20than%20anticipated%20to%20get%20a%20clear%20understanding%20of.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20multiple%20subscriptions%20in%20a%20single%20tenant%2C%20and%20we%20don't%20use%20O365%20or%20M365%20(although%20we%20do%20use%20AAD).%20The%20vast%20majority%20of%20our%20Azure%20usage%20is%20either%20PaaS%20services%20(databases%2C%20AKS%2C%20etc)%2C%20or%20running%20in-house%20developed%20applications%20using%20App%20Services.%20Each%20of%20these%20applications%20is%20already%20set%20up%20with%20Application%20Insights%2C%20and%20although%20its%20across%20a%20few%20LA%20workspaces%2C%20we%20are%20actively%20using%20Application%20Insights%20and%20Azure%20Monitor%20today.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I'm%20trying%20to%20figure%20out%20is%3A%20how%20do%20I%20make%20these%20logs%20accessible%20by%20Sentinel%3F%20I'm%20not%20looking%20for%20any%20sort%20of%20automated%20functionality%2C%20but%20I'd%20very%20much%20like%20to%20be%20able%20to%20query%20against%20and%20correlate%20with%20these%20logs%20when%20doing%20an%20investigation%20--%20and%20being%20able%20to%20write%20my%20own%20automated%20queries%20against%20this%20would%20be%20extremely%20handy%20(so%20they're%20not%20all%20mixed%20up%20in%20the%20normal%20Monitor%20alerting).%20And%20while%20I%20don't%20necessarily%20care%20to%20get%26nbsp%3B%3CEM%3Eall%3C%2FEM%3E%20of%20this%20logging%20data%20into%20Sentinel%2C%20I%20do%20care%20about%20a%20good%20chunk%20of%20it%20--%20and%20it%20may%20be%20easier%20to%20pull%20it%20all%20in%20than%20to%20try%20to%20segregate%20(it's%20reasonably%20low%20volume%20today).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20between%20the%20lines%2C%20it%20seems%20as%20though%20if%20we%20have%20a%20single%20Log%20Analytics%20workspace%20that%20is%20used%20by%20Sentinel%20and%20AI%2C%20all%20our%20in-house%20application%20logs%20would%20be%20ingested%20into%20(or%20otherwise%20queryable%20by)%20Sentinel.%20However%2C%20I'm%20not%20positive%20this%20is%20true.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20not%20the%20case%3A%20how%20do%20I%20get%20logs%20from%20our%20App%20Services%20into%20Sentinel%3F%20Do%20I%20need%20to%20look%20at%20using%20CEF%20or%20the%20HTTP%20Data%20Collector%20API%3F%20Or%20is%20there%20some%20other%20connector%20in%20Sentinel%20that%20will%20ingest%20this%20logging%20data%20from%20an%20existing%20AI%20instance%2FLA%20workspace%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20the%20case%3A%20how%20does%20the%20interaction%20work%20for%20the%20workspace%3F%20I%20recall%20reading%20something%20a%20few%20days%20back%20that%20indicated%20the%20LA%20workspace%20for%20Sentinel%20should%20be%20dedicated%20to%20Sentinel%2C%20but%20didn't%20give%20an%20explanation%20why%20(and%20I%20can't%20recall%20where%20I%20read%20this).%20If%20we%20create%20a%20new%20LA%20workspace%20to%20use%20with%20Sentinel%2C%20will%20we%20still%20be%20able%20to%20use%20this%20workspace%20to%20create%20more%20traditional%20infrastructure%2Fdevelopment%20dashboards%20and%20alerts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%20I%20hope%20this%20is%20reasonably%20clear%2C%20as%20I'm%20still%20a%20bit%20uncertain%20around%20all%20the%20various%20Azure%20components%2C%20and%20their%20interactions%20and%20dependencies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1548390%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1549501%22%20slang%3D%22en-US%22%3ERe%3A%20Adopting%20Sentinel%20into%20an%20existing%20Azure%20Cloud%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1549501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F543412%22%20target%3D%22_blank%22%3E%40damianborrowell%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHello%2C%20having%20App%20Insights%20in%20a%20workspace%20with%20Azure%20monitor%20logs%20is%20a%20preview%20feature%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fcreate-workspace-resource%23%3A~%3Atext%3D%2520Workspace-based%2520Application%2520Insights%2520resources%2520%2528preview%2529%2520%25201%2Cworkspace-based%2520Application%2520Insights%2520resource%2520has%2520been...%2520More%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fcreate-workspace-resource%23%3A~%3Atext%3D%2520Workspace-based%2520Application%2520Insights%2520resources%2520%2528preview%2529%2520%25201%2Cworkspace-based%2520Application%2520Insights%2520resource%2520has%2520been...%2520More%2520%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETypically%20today%20we%20have%20one%20or%20more%20workspaces%20for%20Logs%20and%20that%20is%20then%20associated%20with%20Azure%20Sentinel.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EReading%20between%20the%20lines%2C%20it%20seems%20as%20though%20if%20we%20have%20a%20single%20Log%20Analytics%20workspace%20that%20is%20used%20by%20Sentinel%20and%20AI%2C%20all%20our%20in-house%20application%20logs%20would%20be%20ingested%20into%20(or%20otherwise%20queryable%20by)%20Sentinel.%20However%2C%20I'm%20not%20positive%20this%20is%20true.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CBR%20%2F%3E%3C%2FEM%3EAzure%20Sentinel%20doesn't%20do%20ingestion%20(Log%20Analytics%20does%20that)%3B%20Sentinel%20provides%20security%20analytics%20%2F%20insights%20onto%20that%20data.%26nbsp%3B%20If%20Azure%20Sentinel%20sees%20data%20from%20Logs%20and%20AI%20it%20will%20analyze%20it%20%2F%20allow%20you%20to%20query%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3EI%20recall%20reading%20something%20a%20few%20days%20back%20that%20indicated%20the%20LA%20workspace%20for%20Sentinel%20should%20be%20dedicated%20to%20Sentinel%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20could%20be%20a%20option%2C%20however%20people%20sometimes%20separate%20Operational%20logs%20(and%20maybe%20application%20logs)%20as%20they%20can%20have%20low%20security%20value%20and%20you%20maybe%20you%20don't%20want%20Azure%20Sentinel%20to%20charge%20you%20to%20analyze%20those%20sources%20(per%20GB%2Fday).%26nbsp%3B%20e.g.%3CBR%20%2F%3ESentinel%20makes%20use%20of%20a%20lot%20of%20the%20PaaS%20log%20sources%20and%20logs%20from%20ASC%20(SecurityEvents)%20etc...%26nbsp%3B%20data%20in%20the%20%3CSTRONG%3EPerf%3C%2FSTRONG%3E%20table%20may%20not%20have%20such%20high%20security%20value%20(but%20it%20will%20to%20the%20Operation%20team)%2C%20that's%20why%20you%20often%20see%20%3CSTRONG%3EPerf%3C%2FSTRONG%3E%20in%20another%20workspace.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20we%20create%20a%20new%20LA%20workspace%20to%20use%20with%20Sentinel%2C%20will%20we%20still%20be%20able%20to%20use%20this%20workspace%20to%20create%20more%20traditional%20infrastructure%2Fdevelopment%20dashboards%20and%20alerts%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20the%20underlying%20query%20language%20and%20capability%20is%20still%20there.%26nbsp%3B%20So%20you%20can%20build%20an%20Azure%20Dashboard%20on%20the%20data%20(Log%20Analytics%20or%20Azure%20Sentinel)%2C%20or%20use%20KQL%20to%20query%2C%20or%20build%20a%20Workbook%20to%20visualise%20the%20data%20-%20Workbooks%20are%20delivered%20by%20Azure%20Monitor%20but%20you%20see%20them%20in%20many%20portal%20blades%20such%20as%20Azure%20Sentinel.%3CBR%20%2F%3E%3CBR%20%2F%3EModules%202-4%20will%20help%20you%20from%20the%20Azure%20Sentinel%20training%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbecome-an-azure-sentinel-ninja-the-complete-level-400-training%2Fba-p%2F1246310%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbecome-an-azure-sentinel-ninja-the-complete-level-400-training%2Fba-p%2F1246310%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551131%22%20slang%3D%22en-US%22%3ERe%3A%20Adopting%20Sentinel%20into%20an%20existing%20Azure%20Cloud%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551131%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E!%20This%20is%20super%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20part%20of%20what's%20tripping%20me%20up%20is%20Monitor%20vs%20Log%20Analytics%20vs%20Application%20Insights.%20Based%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Monitor%20Overview%3C%2FA%3E%2C%20I%20was%20under%20the%20impression%20that%20Monitor%20was%20the%20%22umbrella%22%20that%20housed%20all%20the%20underlying%20services.%20Given%20what%20you're%20saying%20above%2C%20and%20now%20that%20I'm%20a%20bit%20more%20familiar%20with%20the%20portal%2C%20it%20seems%20that%20Monitor%20is%20more%20of%20a%20%22family%22%20of%20related%20services%20rather%20than%20a%20distinct%20resource%20that%20we%20would%20be%20provisioning%20or%20managing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20being%20said%2C%20it%20seems%20that%20we%20should%20be%20able%20to%20create%20a%20single%20Log%20Analytics%20workspace%2C%20configure%20Sentinel%20to%20use%20this%20workspace%2C%20and%20migrate%20all%20our%20Application%20Insights%20resources%20into%20this%20workspace%20as%20well.%20This%20will%20likely%20require%20some%20RBAC%20to%20keep%20things%20sane%20and%20partitioned%20appropriately.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3EThat%20could%20be%20a%20option%2C%20however%20people%20sometimes%20separate%20Operational%20logs%20(and%20maybe%20application%20logs)%20as%20they%20can%20have%20low%20security%20value%20and%20you%20maybe%20you%20don't%20want%20Azure%20Sentinel%20to%20charge%20you%20to%20analyze%20those%20sources%20(per%20GB%2Fday).%26nbsp%3B%20e.g.%3CBR%20%2F%3E%3CBR%20%2F%3ESentinel%20makes%20use%20of%20a%20lot%20of%20the%20PaaS%20log%20sources%20and%20logs%20from%20ASC%20(SecurityEvents)%20etc...%26nbsp%3B%20data%20in%20the%20%3CSTRONG%3E%3CSTRONG%3EPerf%3C%2FSTRONG%3E%3C%2FSTRONG%3E%20table%20may%20not%20have%20such%20high%20security%20value%20(but%20it%20will%20to%20the%20Operation%20team)%2C%20that's%20why%20you%20often%20see%20%3CSTRONG%3E%3CSTRONG%3EPerf%3C%2FSTRONG%3E%3C%2FSTRONG%3E%20in%20another%20workspace.%3C%2FBLOCKQUOTE%3E%3CP%3EThere%20is%20a%20distinct%20drawback%20in%20having%20all%20your%20operational%20logs%20analyzed%20by%20a%20SIEM%2C%20both%20in%20up-front%20analysis%20costs%20and%20in%20long-term%20query%20complexity%20and%20computation%20time.%20There%20is%20a%20reasonably%20small%20subset%20of%20operational%20logs%20that%20we%20would%20want%20to%20ingest%20into%20Sentinel%2C%20but%20I'm%20unclear%20as%20to%20what%20would%20be%20entailed%20in%20splitting%20up%20the%20logs%20appropriately%20so%20that%20we%20can%20have%20only%20the%20security-sensitive%20logs%20analyzed%20by%20Sentinel%20while%20still%20having%20the%20full%20set%20of%20operational%20logs%20available%20to%20our%20developers%20and%20infrastructure%20people.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20sufficient%20%22magic%22%20in%20Azure%20that%20it%20is%20surprisingly%20challenging%20coming%20in%20with%20no%20Azure%20knowledge%20or%20experience%2C%20and%20trying%20to%20figure%20out%20how%20to%20implement%20a%20logging%20pipeline.%20Most%20of%20the%20documentation%20boils%20down%20to%20%22send%20it%20to%20Log%20Analytics%20and%20you're%20done%22.%20I'll%20start%20looking%20at%20your%20suggested%20training%20modules%20and%20see%20if%20that%20helps%20clear%20it%20up%3B%20they're%20definitely%20topical%2C%20and%20I'm%20looking%20forward%20to%20Module%205%20having%20more%20content%20as%20well!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20that%20there%20doesn't%20appear%20to%20be%20any%20technical%20concerns%20(at%20our%20size)%20with%20having%20a%20single%20Log%20Analytics%20workspace%20that%20is%20used%20by%20Sentinel%20and%20our%20in-house%20applications%2C%20for%20the%20sake%20of%20simplicity%2C%20I%20suspect%20that's%20where%20we'll%20wind%20up%20(barring%20corrections%20from%20those%20training%20modules).%20And%20so%20long%20as%20we're%20keeping%20our%20dashboards%2C%20alerts%2C%20and%20Sentinel%20configuration%20defined%20in%20Powershell%2FTerraform%2C%20it%20should%20be%20reasonably%20straightforward%20to%20change%20things%20up%20in%20the%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I'm reasonably new to Azure as a whole, and I've been really enjoying playing with Sentinel so far, but the time has come to deploy it in a more formal manner. I've got an open question about the Log Analytics workspace that is proving more difficult than anticipated to get a clear understanding of.

 

We have multiple subscriptions in a single tenant, and we don't use O365 or M365 (although we do use AAD). The vast majority of our Azure usage is either PaaS services (databases, AKS, etc), or running in-house developed applications using App Services. Each of these applications is already set up with Application Insights, and although its across a few LA workspaces, we are actively using Application Insights and Azure Monitor today.

 

What I'm trying to figure out is: how do I make these logs accessible by Sentinel? I'm not looking for any sort of automated functionality, but I'd very much like to be able to query against and correlate with these logs when doing an investigation -- and being able to write my own automated queries against this would be extremely handy (so they're not all mixed up in the normal Monitor alerting). And while I don't necessarily care to get all of this logging data into Sentinel, I do care about a good chunk of it -- and it may be easier to pull it all in than to try to segregate (it's reasonably low volume today).

 

Reading between the lines, it seems as though if we have a single Log Analytics workspace that is used by Sentinel and AI, all our in-house application logs would be ingested into (or otherwise queryable by) Sentinel. However, I'm not positive this is true.

 

If this is not the case: how do I get logs from our App Services into Sentinel? Do I need to look at using CEF or the HTTP Data Collector API? Or is there some other connector in Sentinel that will ingest this logging data from an existing AI instance/LA workspace?

 

If this is the case: how does the interaction work for the workspace? I recall reading something a few days back that indicated the LA workspace for Sentinel should be dedicated to Sentinel, but didn't give an explanation why (and I can't recall where I read this). If we create a new LA workspace to use with Sentinel, will we still be able to use this workspace to create more traditional infrastructure/development dashboards and alerts?

 

Thanks! I hope this is reasonably clear, as I'm still a bit uncertain around all the various Azure components, and their interactions and dependencies.

2 Replies
Highlighted

@damianborrowell 

 

Hello, having App Insights in a workspace with Azure monitor logs is a preview feature: https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource#:~:text=%20Worksp...

 

Typically today we have one or more workspaces for Logs and that is then associated with Azure Sentinel.  

Reading between the lines, it seems as though if we have a single Log Analytics workspace that is used by Sentinel and AI, all our in-house application logs would be ingested into (or otherwise queryable by) Sentinel. However, I'm not positive this is true.


Azure Sentinel doesn't do ingestion (Log Analytics does that); Sentinel provides security analytics / insights onto that data.  If Azure Sentinel sees data from Logs and AI it will analyze it / allow you to query it.

I recall reading something a few days back that indicated the LA workspace for Sentinel should be dedicated to Sentinel

That could be a option, however people sometimes separate Operational logs (and maybe application logs) as they can have low security value and you maybe you don't want Azure Sentinel to charge you to analyze those sources (per GB/day).  e.g.
Sentinel makes use of a lot of the PaaS log sources and logs from ASC (SecurityEvents) etc...  data in the Perf table may not have such high security value (but it will to the Operation team), that's why you often see Perf in another workspace.


If we create a new LA workspace to use with Sentinel, will we still be able to use this workspace to create more traditional infrastructure/development dashboards and alerts?

 

Yes, the underlying query language and capability is still there.  So you can build an Azure Dashboard on the data (Log Analytics or Azure Sentinel), or use KQL to query, or build a Workbook to visualise the data - Workbooks are delivered by Azure Monitor but you see them in many portal blades such as Azure Sentinel.

Modules 2-4 will help you from the Azure Sentinel training: https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-le...

Highlighted

Thanks, @Clive Watson! This is super helpful.

 

I think part of what's tripping me up is Monitor vs Log Analytics vs Application Insights. Based on the Azure Monitor Overview, I was under the impression that Monitor was the "umbrella" that housed all the underlying services. Given what you're saying above, and now that I'm a bit more familiar with the portal, it seems that Monitor is more of a "family" of related services rather than a distinct resource that we would be provisioning or managing.

 

That being said, it seems that we should be able to create a single Log Analytics workspace, configure Sentinel to use this workspace, and migrate all our Application Insights resources into this workspace as well. This will likely require some RBAC to keep things sane and partitioned appropriately.

 


That could be a option, however people sometimes separate Operational logs (and maybe application logs) as they can have low security value and you maybe you don't want Azure Sentinel to charge you to analyze those sources (per GB/day).  e.g.
Sentinel makes use of a lot of the PaaS log sources and logs from ASC (SecurityEvents) etc...  data in the Perf table may not have such high security value (but it will to the Operation team), that's why you often see Perf in another workspace.

There is a distinct drawback in having all your operational logs analyzed by a SIEM, both in up-front analysis costs and in long-term query complexity and computation time. There is a reasonably small subset of operational logs that we would want to ingest into Sentinel, but I'm unclear as to what would be entailed in splitting up the logs appropriately so that we can have only the security-sensitive logs analyzed by Sentinel while still having the full set of operational logs available to our developers and infrastructure people.

 

There's sufficient "magic" in Azure that it is surprisingly challenging coming in with no Azure knowledge or experience, and trying to figure out how to implement a logging pipeline. Most of the documentation boils down to "send it to Log Analytics and you're done". I'll start looking at your suggested training modules and see if that helps clear it up; they're definitely topical, and I'm looking forward to Module 5 having more content as well!

 

Given that there doesn't appear to be any technical concerns (at our size) with having a single Log Analytics workspace that is used by Sentinel and our in-house applications, for the sake of simplicity, I suspect that's where we'll wind up (barring corrections from those training modules). And so long as we're keeping our dashboards, alerts, and Sentinel configuration defined in Powershell/Terraform, it should be reasonably straightforward to change things up in the future.