IP addresses used by Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1643368%22%20slang%3D%22en-US%22%3EIP%20addresses%20used%20by%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1643368%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20to%20hand%20the%20IP%20ranges%20that%20the%20MMA%20agent%20would%20use%20to%20forward%20logs%20to%20Sentinel%3F%20I%20presume%20it's%20workspace%2Fregion%20dependent...but%20I%20can't%20seem%20to%20find%20anything%20and%20we%20can't%20just%20allow%20unrestricted%20outbound%20traffic.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1643781%22%20slang%3D%22en-US%22%3ERe%3A%20IP%20addresses%20used%20by%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1643781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668036%22%20target%3D%22_blank%22%3E%40thekernel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20MMA%20is%20owned%20by%20the%20Azure%20Monitor%20Team%20(as%20is%20%22Log%20Analytics%22%20a.k.a%20Azure%20Monitor%20Logs)%2C%20so%20the%20docs%20are%20under%20their%20name%20not%20Azure%20Sentinel%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fip-addresses%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fip-addresses%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

Does anyone have to hand the IP ranges that the MMA agent would use to forward logs to Sentinel? I presume it's workspace/region dependent...but I can't seem to find anything and we can't just allow unrestricted outbound traffic. 

2 Replies

@thekernel 

 

The MMA is owned by the Azure Monitor Team (as is "Log Analytics" a.k.a Azure Monitor Logs), so the docs are under their name not Azure Sentinel: https://docs.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses

Thanks

@Clive Watson @thekernel 

 

Wondering if this worked for the OP? I also need to find Sentinel IPs but the intent is for a TI vendor to whitelist connecting agents.