Bringing data in from other tenants (e.g. 0365)

%3CLINGO-SUB%20id%3D%22lingo-sub-1480601%22%20slang%3D%22en-US%22%3EBringing%20data%20in%20from%20other%20tenants%20(e.g.%200365)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480601%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20experimenting%20with%20connecting%20data%20sources%20into%20my%20Sentinel%20environment.%20I'm%20trying%20to%20connect%20natively%2C%20an%20O365%20(E3)%20source%20that%20I%20have%20provisioned%20through%20Partner%20Network%20licensing.%20It's%20under%20a%20different%20tenant%20and%20isn't%20visible%20under%20the%20Sentinel%200365%20connector%20config%20page.%20I%20believe%20that%20the%20connector%20has%20changed%20since%20last%20year%20in%20regards%20to%20multi-tenant%20native%20connections*.%20I%20also%20have%20a%20similar%20issue%20with%20MS%20Defender%20ATP%20trial%20as%20a%20source.%3C%2FP%3E%3CP%3EWhat%20other%20solutions%20have%20people%20used%20for%20that%20scenario%20(multi-tenant%20Sentinel%20inputs%20for%20MS%20products)%3F%20Webjobs%2C%20EventHubs%2C%20LogicApps%20etc%20or%20is%20there%20a%20simple%20option%20I've%20missed%3F%3C%2FP%3E%3CP%3EI'm%20having%20some%20good%20success%20with%20other%20sources%20and%20have%20plans%20for%20other%2C%20non-native%2C%20connectors...%20(e.g.%20syslog%20from%20my%20non-Windows%20OSs%20and%20Cisco%20kit%20etc).%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E*%20'Azure%20Sentinel%20now%20enables%20Office%20365%20single-tenant%20connection'%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480640%22%20slang%3D%22en-US%22%3ERe%3A%20Bringing%20data%20in%20from%20other%20tenants%20(e.g.%200365)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480640%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F704919%22%20target%3D%22_blank%22%3E%40Roblo1%3C%2FA%3E%26nbsp%3BUnless%20you%20absolutely%20need%20to%20have%20all%20the%20data%20in%20one%20place%20I%20would%20suggest%20having%20another%20Azure%20Sentinel%20instance%20in%20the%20other%20tenant%20and%20using%20Lighthouse%20to%20manage%20both%20your%20Azure%20Sentinel%20instances.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1480865%22%20slang%3D%22en-US%22%3ERe%3A%20Bringing%20data%20in%20from%20other%20tenants%20(e.g.%200365)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1480865%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E.%26nbsp%3BI've%20been%20thinking%20about%20that%20as%20an%20option%20too%2C%20although%20wanted%20to%20see%20if%20it's%20possible%20to%20bring%20it%20to%20my%20current%20environment%20-%20ideally%20with%20a%20native%20connector%2C%20rather%20than%20doing%20something%20else%20to%20pull%20it%20from%20an%20API%20and%20get%20it%20into%20Sentinel%2FLA.%20I'll%20do%20some%20further%20research%20on%20the%20method%20you've%20mentioned%20combining%20two%20instances.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1488582%22%20slang%3D%22en-US%22%3ERe%3A%20Bringing%20data%20in%20from%20other%20tenants%20(e.g.%200365)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1488582%22%20slang%3D%22en-US%22%3E%3CP%3EUpdate%20for%20completeness%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fsecurity-community-webinars%2Fba-p%2F927888%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fsecurity-community-webinars%2Fba-p%2F927888%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eadded%20a%20presentation%20on%20this%20on%20the%2023rd%20June%2C%20which%20was%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894114%22%20slang%3D%22en-US%22%3ERe%3A%20Bringing%20data%20in%20from%20other%20tenants%20(e.g.%200365)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894114%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F704919%22%20target%3D%22_blank%22%3E%40Roblo1%3C%2FA%3E%26nbsp%3BWell%20if%20you%20don't%20mind%20spending%20on%20Logic%20Apps%20then%2C%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fo365-amp-aad-multi-tenant-custom-connector-azure-sentinel%2Fba-p%2F1848968%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fo365-amp-aad-multi-tenant-custom-connector-azure-sentinel%2Fba-p%2F1848968%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm experimenting with connecting data sources into my Sentinel environment. I'm trying to connect natively, an O365 (E3) source that I have provisioned through Partner Network licensing. It's under a different tenant and isn't visible under the Sentinel 0365 connector config page. I believe that the connector has changed since last year in regards to multi-tenant native connections*. I also have a similar issue with MS Defender ATP trial as a source.

What other solutions have people used for that scenario (multi-tenant Sentinel inputs for MS products)? Webjobs, EventHubs, LogicApps etc or is there a simple option I've missed?

I'm having some good success with other sources and have plans for other, non-native, connectors... (e.g. syslog from my non-Windows OSs and Cisco kit etc).

Thanks.

 

* 'Azure Sentinel now enables Office 365 single-tenant connection'

4 Replies

@Roblo1 Unless you absolutely need to have all the data in one place I would suggest having another Azure Sentinel instance in the other tenant and using Lighthouse to manage both your Azure Sentinel instances.

Thanks @Gary Bushey. I've been thinking about that as an option too, although wanted to see if it's possible to bring it to my current environment - ideally with a native connector, rather than doing something else to pull it from an API and get it into Sentinel/LA. I'll do some further research on the method you've mentioned combining two instances.

Update for completeness:

https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/92788... 

added a presentation on this on the 23rd June, which was useful.