Share via

Security Center and Sentinel shared LAW

Justin Von Weicahrdt 1 Reputation point
2021-05-04T01:20:50.787+00:00

We are working on a project deploying Azure Security Centre and Azure Defender (leveraging Qualys scanning engine) for vulnerability scanning capability, and consolidate the logs and metrics to a centralised Log Analytics Workspace. We also have a Sentinel project using its Log Analytics Workspace. Am i correct in saying that when we deploy the LAW agents and Qualys agent it should be pointing to the same central log analytics that Sentinel uses? Or should it be using another Log Analytics Workspace and then use the connector to Sentinel? The Sentinel Project is looking for clarification why we should be using the Sentinel LAW instead of our own.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Sentinel

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yash Mudaliar 191 Reputation points Microsoft Employee
    2021-05-04T08:15:11.88+00:00

    Hi @Justin Von Weicahrdt ,

    Azure Security Center mainly uses LAW when you need to export alerts, recommendations or logs to Sentinel. It is done by enabling 'Continuous Export' from Security Center. (Can share the steps on how to do that if you need).
    I think it's a good reason to point out that using the Sentinel LAW gives a better and easier integration between Security Center and Sentinel.

    If my answer was helpful, please upvote and if I resolved your question please 'Accept it as an answer'.

    3 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.