Jun 22 2020 04:32 AM
I'm experimenting with connecting data sources into my Sentinel environment. I'm trying to connect natively, an O365 (E3) source that I have provisioned through Partner Network licensing. It's under a different tenant and isn't visible under the Sentinel 0365 connector config page. I believe that the connector has changed since last year in regards to multi-tenant native connections*. I also have a similar issue with MS Defender ATP trial as a source.
What other solutions have people used for that scenario (multi-tenant Sentinel inputs for MS products)? Webjobs, EventHubs, LogicApps etc or is there a simple option I've missed?
I'm having some good success with other sources and have plans for other, non-native, connectors... (e.g. syslog from my non-Windows OSs and Cisco kit etc).
Thanks.
* 'Azure Sentinel now enables Office 365 single-tenant connection'
Jun 22 2020 04:47 AM
@Roblo1 Unless you absolutely need to have all the data in one place I would suggest having another Azure Sentinel instance in the other tenant and using Lighthouse to manage both your Azure Sentinel instances.
Jun 22 2020 06:29 AM
Thanks @Gary Bushey. I've been thinking about that as an option too, although wanted to see if it's possible to bring it to my current environment - ideally with a native connector, rather than doing something else to pull it from an API and get it into Sentinel/LA. I'll do some further research on the method you've mentioned combining two instances.
Jun 25 2020 03:22 AM
Update for completeness:
added a presentation on this on the 23rd June, which was useful.