How do I integrate Azure Monitor and Azure Sentinel

Richard Duane Wolford Jr 206 Reputation points
2023-03-16T14:50:43.4933333+00:00

We use Azure monitor for alerting, and send diagnostic information there as well. We're going to implement Azure Sentinel and Defender for Cloud. For Defender for Cloud, it appears as if we have to already have a log analytics workspace created and have Defender use that workspace; it is the same workspace used by Sentinel. However, we're not sure how to include data gathered by Azure monitor, or if it's even necessary. Could someone explain how these work together, we can't quite follow the documentation clearly.

Also, we know that Sentinel requires the agent to work properly and it is the same agent which Defender uses. We need an Azure Policy which will push the agent to any machine which does not already have it installed. Again, we're having some trouble with the MS documentation, being able to follow everything.

Thanks in advance!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,833 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,205 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
993 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,576 Reputation points Microsoft Employee
    2023-03-20T02:24:34.6833333+00:00

    Best practice is to keep Azure Monitor and Sentinel separate but this is largely a preference. Many will argue separation of duties, data isolation, and cost savings. The same agent can be used to dual-home to both workspaces. Caution should be taken to avoid data duplication.

    Using the same workspace can be very convenient, especially for smaller IT teams where security and operational support may overlap. Sentinel will nearly double the price initially. Keeping data separated will save money but if the operational data is reasonably sized and convenience is preferred the consolidation may make sense. You can even create alert rules in Sentinel that are more operational if preferred without the pre-rule charges from Azure Monitor.