Nov 03 2020 01:14 AM - edited Nov 03 2020 01:16 AM
Hi,
Imagine a scenario where a client only has on-prem, but are looking for a new SIEM/SOAR solution.
They will remain on-prem for an unforeseeable future.
Can a new Azure Tenant be spun up to only run the Azure Sentinel SIEM/SOAR, and integrate with the on-prem environment (as long as its supported by Sentinel of course)?
There will be no Azure identities or any other Azure services running, as its all on-prem.
The new Azure Tenant will only run what is required to get Sentinel up and running.
It this a viable option?
Thanks,
SK
Nov 03 2020 03:48 AM
@ShimKwan Just thinking here...
Can this be done? Sure.
But, a few things to consider (off the top of my head)...
You still have to get all on-premises logs to Azure (Log Analytics workspace) - which means installing the agent where ever it's needed (workstations, Syslog server, servers, DCs, etc.)
You'd still need to deploy AD Connect to synch your on-prem AD with Azure AD to apply Azure Sentinel roles and other things.
The SOAR capability will be difficult. You'll need to install a gateway for Logic Apps on-prem:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection
But, I can't be sure which SOAR capabilities of Azure Sentinel will work on on-prem.
Nov 03 2020 07:37 AM
Nov 03 2020 01:45 PM
@Thijs Lecomteyou wrote: "You don't even need AAD Connect, you can just use cloud users if you want."
In this scenario, there is not Cloud presence, there are no Cloud users. Everything is on-prem. We are just trying to determine whether Sentinel will be able to deliver both SIEM and SOAR capabilities to an on-prem only environment.
The client in question is not satisfied with their existing SIEM solution and is look for a more modern alternative, hence Sentinel on the discussion table.
Feb 06 2023 08:58 AM
So what was the final verdict on this one? I am going down the same path now.
Regards,
Craig