How to stop cross-tenant diagnostic log forwarding from the destination tenant
I configured a Key Vault resource in tenant A to forward logs to a Log Analytics Workspace / Sentinel in tenant B via diagnostic settings.
To do this I provided Log Analytics contributor permission over a resource group in tenant B to a group in tenant A by using Lighthouse. One of my user was added to this group in tenant A. Thus, my user in tenant A had the LA contributor permission over tenant B. I configured the diagnostic settings in the Key Vault to use the Sentinel instance in tenant B as a destination.
1: My question is, can i do something in tenant B to prevent these logs to be forwarded? Let's say I lose access to tenant A for any reasons. Can I somehow prevent these logs to be forwarded to my Sentinel in tenant B if I still have access to tenant B? I assumed removing the ligthhouse projection and/or changing the Log Analytics workspace keys will stop these logs to come into my Sentinel, but this is not the case. So, even after removing the access and changing the keys the logs are still coming in.
2: Is there some documentation that explains how diagnostic settings works in the background? Again, my impression was that they are using the workspace id and key to forward these logs, but apparently this is not the case.
Thank you for asking this question on the **Microsoft Q&A Platform. **
You have not received answers or comments to your question because it may be ambiguous or confusing.
I recommend you visit How to write a quality question and verify that your question meets some of the recommendations.
Hope this helps,
Carlos Solís Salazar
NOTE: To answer you as quickly as possible, please mention me in your reply.
Sign in to comment