Cloud Discovery Data Import - Sentinel vs Cloud App Sec

%3CLINGO-SUB%20id%3D%22lingo-sub-1177140%22%20slang%3D%22en-US%22%3ECloud%20Discovery%20Data%20Import%20-%20Sentinel%20vs%20Cloud%20App%20Sec%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1177140%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProxy%20logs%20benefit%20both%20Sentinel%20and%20Cloud%20App%20Security%20Cloud%20Discovery.%20What%20is%20the%20most%20sensible%20way%20of%20getting%20proxy%20log%20data%20into%20both%20with%20least%20amount%20of%20moving%20parts%3F%20For%20example%2C%20ZScaler%20emits%20CEF%20which%20can%20be%20consumed%20by%20Azure%20Log%20Forwarder%20into%20Sentinel%2C%20but%20then%20Cloud%20App%20Security%20cannot%20pick%20up%20from%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1177140%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1238777%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20Data%20Import%20-%20Sentinel%20vs%20Cloud%20App%20Sec%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1238777%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F520442%22%20target%3D%22_blank%22%3E%40truekonrads%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%203%20methods%20to%20get%20Discovery%20deployed%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E1.%20MDATP%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Log%20Collector%20for%20firewalls%20such%20as%20Blue%20Coat%20and%20Palo%20Alto%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Zscaler%20or%20iBoss%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECould%20you%20provide%20more%20context%20around%20what%20you'd%20like%20to%20achieve%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1240197%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20Data%20Import%20-%20Sentinel%20vs%20Cloud%20App%20Sec%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1240197%22%20slang%3D%22en-US%22%3EChiefly%20not%20send%20data%20twice%20to%20Microsoft%20cloud.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072186%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20Discovery%20Data%20Import%20-%20Sentinel%20vs%20Cloud%20App%20Sec%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072186%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177014%22%20target%3D%22_blank%22%3E%40Banu%20Jafarli%3C%2FA%3Ei%20would%20like%20to%20refresh%20this%20old%20conversation.%3C%2FP%3E%3CP%3E%3CSTRONG%3EIt%20there%20a%20plan%20to%20combine%20MCAS%20and%20Sentinel%20(e.g.%20Log%20Analytics%20agent)%20collection%20agents%3F%3C%2FSTRONG%3E%20Streaming%20firewall%20logs%20from%20on-prem%20to%20cloud%20twice%20seems%20like%20waste%20of%20effort.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

Proxy logs benefit both Sentinel and Cloud App Security Cloud Discovery. What is the most sensible way of getting proxy log data into both with least amount of moving parts? For example, ZScaler emits CEF which can be consumed by Azure Log Forwarder into Sentinel, but then Cloud App Security cannot pick up from Sentinel.

3 Replies

@truekonrads 

 

There are 3 methods to get Discovery deployed: 

 

https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

1. MDATP 

2. Log Collector for firewalls such as Blue Coat and Palo Alto 

3. Zscaler or iBoss

 

Could you provide more context around what you'd like to achieve? 

Chiefly not send data twice to Microsoft cloud.

@Banu Jafarlii would like to refresh this old conversation.

It there a plan to combine MCAS and Sentinel (e.g. Log Analytics agent) collection agents? Streaming firewall logs from on-prem to cloud twice seems like waste of effort.