Can Azure Sentinel monitor on-prem only?

Contributor

Hi,

 

Imagine a scenario where a client only has on-prem, but are looking for a new SIEM/SOAR solution.

They will remain on-prem for an unforeseeable future.

Can a new Azure Tenant be spun up to only run the Azure Sentinel SIEM/SOAR, and integrate with the on-prem environment (as long as its supported by Sentinel of course)?

There will be no Azure identities or any other Azure services running, as its all on-prem.

The new Azure Tenant will only run what is required to get Sentinel up and running.

 

It this a viable option?

Thanks,

SK

 

4 Replies

@ShimKwan Just thinking here...

 

Can this be done?  Sure. 

 

But, a few things to consider (off the top of my head)...

 

You still have to get all on-premises logs to Azure (Log Analytics workspace) - which means installing the agent where ever it's needed (workstations, Syslog server, servers, DCs, etc.)

 

You'd still need to deploy AD Connect to synch your on-prem AD with Azure AD to apply Azure Sentinel roles and other things.

 

The SOAR capability will be difficult. You'll need to install a gateway for Logic Apps on-prem:

 

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection 

 

But, I can't be sure which SOAR capabilities of Azure Sentinel will work on on-prem.

I agree with Rod here.
Yes it's possible to use it entirely on-prem. You don't even need AAD Connect, you can just use cloud users if you want. But the real benefit of Azure Sentinel is in the tight integration with our cloud services.

What is your reasoning with going for Sentinel?

@Thijs Lecomteyou wrote: "You don't even need AAD Connect, you can just use cloud users if you want."

In this scenario, there is not Cloud presence, there are no Cloud users. Everything is on-prem. We are just trying to determine whether Sentinel will be able to deliver both SIEM and SOAR capabilities to an on-prem only environment.

The client in question is not satisfied with their existing SIEM solution and is look for a more modern alternative, hence Sentinel on the discussion table.

thank you both for replying :)