Azure Sentinel / Azure Monitor - What's the difference here?

Matthew Tipler 21 Reputation points
2022-03-16T11:10:48.68+00:00

Hey guys,

Is anyone aware of any 'punchy' / 'to-the-point' literature relating what are the high-level functional differences between Azure Sentinel / Azure Monitor? Are they inter-dependant? Do you require one and not the other?

I guess my user story is that we currently have onpremise infrastructure (server / network) for which we would like to gather / monitor event logs and syslogs with a view to identifying security events and if possible (although not currently as important) have insight into performance monitoring. As a side-note, our workstation / server infrastructure is onboarded into 365 Defender and we plan in future to enrol Win10 devices into Endpoint Manager.

At the present time, we have no cloud-based infrastructure / applications within Azure although this will change in the future. We do however use SaaS 365 collaboration suite. So presently we are probably more interested in a SIEM type solution. Would Sentinel be better suited to this requirement? Is Azure Monitor more focused upon Azure based infrastructure (although I've read it also supports onprem). A little confused.

Thank you to anyone that takes the time to read / respond to this question.

Matt

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,875 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,004 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,596 Reputation points Microsoft Employee
    2022-03-16T11:47:12.593+00:00

    Azure Monitor is an operational monitoring solution. Primarily for monitoring Azure resource health. It can be extended to monitor hybrid devices. It includes monitoring dashboards called insights. Azure Monitor is largely a free service. You can create monitoring alerts and responses but no rules are provided out of the box. The alert management tool is also rather limited. Overall it is more of a framework or toolset than a ready to use service. Customers do pay for certain categories for alert rules and for customer-managed data storage. That "customer managed" storage is Azure Monitor Logs; also knows as Log Analytics or formerly OMS workspace.

    Sentinel and Defender for Cloud (formerly Azure Security Center) use the same agents and Azure Monitor Logs workspace to store their own monitoring data. Azure Monitor, Sentinel, and MDFC all share the same agents (SCOM as well is using the MMA agent). They can use same workspace or multiple workspaces. One distinction is that Sentinel increases the price of the entire workspace. It is common to combine Sentinel and MDFC in the same workspace while hosting operational Azure Monitor data in a separate workspace.

    So Sentinel and Azure Monitor rely on the same agents and workspace capabilities. Sentinel includes data connectors, alert rules, workbooks (dashboards), UEBA, and many more features with a SEIM focus. Sentinel also has a full featured ticket management capability. Sentinel is also a platform for automated alerts responses using logic apps (playbooks). If your focus is on security monitoring then Sentinel is recommended.

    I will say if you are a big Windows security shop you might consider that MDO, MDI, MDE, MDCA, and several other Microsoft security tools are being centralized under the Defender 365 portal security.microsoft.com. Also, Defender for Cloud focuses on securing your subscriptions. Sentinel combines these signals with a wide range of 3rd party data sources including Syslog from your network devices. Point being that if you are onboarding Azure-based security solutions you might start with the services that feed Sentinel first.

    13 people found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Stanislav Zhelyazkov 21,521 Reputation points MVP
    2022-03-16T11:37:07.67+00:00

    Hi,
    To put it simply - Azure Monitor is a set of services and features to monitor Azure and non-Azure resources. One of these services in Azure Monitor is Log Analytics. Log Analytics is a service to store and query logs and metrics. Azure Sentinel is using certain features of Azure Monitor as a platform. For example, Azure Sentinel uses Log Analytics for storing logs and metrics. When you enable Sentinel you choose to which Log Analytics workspaces the service is enabled. Other Azure Monitor features that Sentinel uses are data collection rules, workbooks, etc. Basically, you can have Azure Monitor without having to have Sentinel but you cannot have Sentinel without using Log Analytics workspace. Certain security logs like Azure AD logs or Azure Activity logs can be ingested to Log Analytics workspace without having Sentinel enabled but all the specific Sentinel security features you will not have for this data. If you use both Azure Monitor and Sentinel one of the benefits is that your security and non-security data can be placed on the same workspace. That allows for things like correlation, etc. Sentinel is SEIM solution and when used with Azure Monitor you can have your performance and security data at a single place. So, for me Sentinel is better suited for your requirements. Azure Monitor supports both Azure and non-Azure resource. The non-Azure resources could be on-premises VMs, network devices, SQL Servers, etc. They could even be resources located in other cloud providers. You can use Azure Monitor for pretty much everything as long as there is out of the box option to ingest the data for that resource or build your own mechanism for ingesting the data. Azure Monitor has capabilities to ingest your own custom data as well.

    Update: to provide more guidance than the above answer. Azure Monitor can monitor Microsoft 365. Overall, really depends on the specifics. For example, you can monitor Microsoft 365 URLs via connection monitor.

    I hope this answers your questions.
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    4 people found this answer helpful.
    0 comments No comments

  2. Alan Kinane 16,796 Reputation points MVP
    2022-03-16T11:33:33.083+00:00

    Azure Monitor is a collection of several different monitoring tools and services. Probably at the forefront is Log Analytics which is a log ingestion service used to ingest performance and diagnostic logs. These can then be queried manually or programmatically to look for performance spikes or errors in logs etc. Using another feature of Azure Monitor, you can set up alert rules to look for particular events or patterns in these logs and if necessary send you an alert notification.

    You can monitor many different Azure services not just infrastructure but for virtual machines you can install the monitoring agent on to any supported VMs, even those on premises or in other cloud environments. It would not be useful for Microsoft 365 however.

    Microsoft Sentinel is a SIEM service but it makes use of Log Analytics, i.e. you ingest the log data into both Sentinel and Log Analytics. Microsoft Sentinel is more of a security service looking for potential threats to your environment and can be used to ingest many different types of logs (including syslogs) through service connectors including Microsoft 365 and Azure AD.

    It does sound like Microsoft Sentinel is more of what you are looking for here.

    Hope this helps!

    2 people found this answer helpful.
    0 comments No comments

  3. Matthew Tipler 21 Reputation points
    2022-03-16T11:59:44.737+00:00

    Guys - thank you all for fantastic responses! Precisely what I was looking and very much demystified the topic!

    Thank you again!

    0 comments No comments