How do I integrate Azure Monitor and Azure Sentinel

Question

We use Azure monitor for alerting, and send diagnostic information there as well. We're going to implement Azure Sentinel and Defender for Cloud. For Defender for Cloud, it appears as if we have to already have a log analytics workspace created and have Defender use that workspace; it is the same workspace used by Sentinel. However, we're not sure how to include data gathered by Azure monitor, or if it's even necessary. Could someone explain how these work together, we can't quite follow the documentation clearly.

Also, we know that Sentinel requires the agent to work properly and it is the same agent which Defender uses. We need an Azure Policy which will push the agent to any machine which does not already have it installed. Again, we're having some trouble with the MS documentation, being able to follow everything.

Thanks in advance!

Answer 1

Best practice is to keep Azure Monitor and Sentinel separate but this is largely a preference. Many will argue separation of duties, data isolation, and cost savings. The same agent can be used to dual-home to both workspaces. Caution should be taken to avoid data duplication.

Using the same workspace can be very convenient, especially for smaller IT teams where security and operational support may overlap. Sentinel will nearly double the price initially. Keeping data separated will save money but if the operational data is reasonably sized and convenience is preferred the consolidation may make sense. You can even create alert rules in Sentinel that are more operational if preferred without the pre-rule charges from Azure Monitor.