Is Azure AD important to run Azure Sentinel ?

Occasional Contributor

Hello,

 

We are trying to build a SOC based on Azure Sentinel, and a have 26 windows on-prem VMs connected via MMA agents. These VMs include 2 Active Directory servers which are on-prem as well, and send logs to Sentinel.
I wanted to know, if Azure AD (with synch to on-prem AD) is highly recommended (or must have) to optimally run Sentinel?

 

Does it affect threat finding capabilites, or UBA capabilities in any way?

 

1 Reply

@salkhan 

 

Azure Sentinel can make use of AD and or AAD.  Some rules, workbooks, rule, hunting etc... will need various sources.  UEBA uses data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.  Whilst its possible to run without either identity source, more often than not many features will require you to corelate with identity. 

https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics