Build with an Azure free account. Get USD200 credit for 30 days and 12 months of free services.

Start free today

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Play Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution
Sign in to queue

Description

Sarah Young joins Scott Hanselman to discuss Azure Sentinel, which is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Tag:

Azure

Embed

Download

The Discussion

  • User profile image
    OshriDahan
    hello
    Is it possible to connect azure sentinel for multiple azure ad tenants, so we can control and audit a different directory, which is not under the tenanted generated by sentinel workspace ?
  • User profile image
    Sarah Young

    Hello Oshri,

    It is only possible to connect Azure Sentinel to the Azure AD tenant that it resides in.

    Best,
    Sarah

  • User profile image
    omerzubair
    Great presentation @Sarah & obviously @Scott!

    Yes you are correct I wasn't sure difference between Security Center & Sentinel. Now I know :)

    However quick questions:
    1. Sentinel looks like Tenant wide where as Security center is connected per subscription and logging into one log analytics. So question is that, wouldn't security centre IaaS focus logs be duplicated in Sentinel logs?
    2. Similarly I already connected the Azure AD Diagnostic Logs to a Log Analytics from the Azure AD interface. When I connect AD using Sentinel interface, would it collect the duplicate the logs?
    3. Would be great to know some pricing and/or release date.

    Cheers From DownUnder
  • User profile image
    sarah young

    Hello Omer

    In answer to your questions:

    1. No, if you connect ASC to Sentinel using the native connectors then the logs are not duplicated. Sentinel takes up ASC threat protection alerts, which are high fidelity alerts where the OMS agent on the endpoint has already analysed the logs - the raw logs themselves are not sent from ASC to Sentinel.

    2. Currently the AAD Sentinel connector only joins Sign-In and Audit logs. If you've chosen to connect more than these AAD logs in your LA workspace, then the Sign-in and Audit logs would be duplicated, the others would not.

    3. This is TBA.

    Best,
    S

Add Your 2 Cents