What are the advantages and disadvantages of connecting Sentinel to e.g. a Qradar? or two SIEMs

%3CLINGO-SUB%20id%3D%22lingo-sub-3248959%22%20slang%3D%22en-US%22%3EWhat%20are%20the%20advantages%20and%20disadvantages%20of%20connecting%20Sentinel%20to%20e.g.%20a%20Qradar%3F%20or%20two%20SIEMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3248959%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20the%20documentation%20that%20allows%20connecting%20Sentinel%20to%20Qradar%20or%20vice%20versa%20and%20I%20don't%20see%20any%20additional%20capacity%20to%20connect%20two%20SIEMs%2C%20for%20example%2C%20Sentinel%20to%20Qradar.%3C%2FP%3E%3CP%3EThe%20only%20advantage%20I%20see%20is%20to%20have%20the%20Microsoft%20Sentinel%20panel%20unified%20and%20send%20the%20alerts%20to%20Qradar%20via%20API.%20But%20Qradar%20already%20has%20connectors%20for%20Microsoft%20security%20tools%20via%20API.%3C%2FP%3E%3CP%3EI%20don't%20understand%20what%20advantages%20this%20gives.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20best%20regards.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3248959%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3249013%22%20slang%3D%22en-US%22%3ERe%3A%20What%20are%20the%20advantages%20and%20disadvantages%20of%20connecting%20Sentinel%20to%20e.g.%20a%20Qradar%3F%20or%20two%20SIEMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3249013%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1175887%22%20target%3D%22_blank%22%3E%40Chris_321%3C%2FA%3E%26nbsp%3BTypically%2C%20if%20a%20client%20has%202%20SIEMs%2C%20one%20would%20be%20in%20the%20cloud%20(AKA%20MS%20Sentinel)%20and%20the%20other%20would%20be%20on-prem%20(Qradar%20in%20this%20case).%26nbsp%3B%20%26nbsp%3BSome%20companies%20don't%20like%20to%20send%20information%20from%20on-prem%20to%20the%20cloud%20and%20vice%20versa%20(since%20you%20have%20to%20pay%20egress%20charges%20when%20data%20leaves%20Azure).%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20had%20clients%20do%20this%20when%20they%20still%20have%20a%20contract%20for%20their%20existing%20SIEM%20and%20want%20to%20move%20to%20MS%20Sentinel%20as%20well.%26nbsp%3B%20%26nbsp%3BThis%20way%20they%20can%20see%20what%20rules%20may%20be%20missing%20(if%20they%20copy%20all%20the%20data%20from%20on-prem%20into%20MS%20Sentinel)%20and%20to%20make%20sure%20their%20needs%20will%20be%20met.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20integration%20goes%2C%20yes%20you%20can%20use%20the%20APIs%20for%20the%20various%20MS%20security%20products%2C%20however%20there%20is%20much%20better%20integration%20between%20the%20other%20MS%20security%20products%20and%20MS%20Sentinel%2C%20which%20is%20only%20getting%20better%20as%20time%20goes%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20biggest%20disadvantage%20is%20that%20now%20you%20have%20two%20places%20to%20look%20to%20see%20what%20is%20going%20on%20in%20your%20environment%20and%20two%20systems%20to%20keep%20up%20to%20date%20(although%20with%20MS%20Sentinel%20being%20a%20SaaS%20product%20it%20is%20not%20hard).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I have read the documentation that allows connecting Sentinel to Qradar or vice versa and I don't see any additional capacity to connect two SIEMs, for example, Sentinel to Qradar.

The only advantage I see is to have the Microsoft Sentinel panel unified and send the alerts to Qradar via API. But Qradar already has connectors for Microsoft security tools via API.

I don't understand what advantages this gives.

 

Thanks, best regards.

 

 

 

1 Reply

@Chris_321 Typically, if a client has 2 SIEMs, one would be in the cloud (AKA MS Sentinel) and the other would be on-prem (Qradar in this case).   Some companies don't like to send information from on-prem to the cloud and vice versa (since you have to pay egress charges when data leaves Azure).   

 

I have had clients do this when they still have a contract for their existing SIEM and want to move to MS Sentinel as well.   This way they can see what rules may be missing (if they copy all the data from on-prem into MS Sentinel) and to make sure their needs will be met.

 

As far as integration goes, yes you can use the APIs for the various MS security products, however there is much better integration between the other MS security products and MS Sentinel, which is only getting better as time goes on.

 

The biggest disadvantage is that now you have two places to look to see what is going on in your environment and two systems to keep up to date (although with MS Sentinel being a SaaS product it is not hard).