How to stop cross-tenant diagnostic log forwarding from the destination tenant

Sándor Tőkési 161 Reputation points

Hi folks

I configured a Key Vault resource in tenant A to forward logs to a Log Analytics Workspace / Sentinel in tenant B via diagnostic settings.
To do this I provided Log Analytics contributor permission over a resource group in tenant B to a group in tenant A by using Lighthouse. One of my user was added to this group in tenant A. Thus, my user in tenant A had the LA contributor permission over tenant B. I configured the diagnostic settings in the Key Vault to use the Sentinel instance in tenant B as a destination.

1: My question is, can i do something in tenant B to prevent these logs to be forwarded? Let's say I lose access to tenant A for any reasons. Can I somehow prevent these logs to be forwarded to my Sentinel in tenant B if I still have access to tenant B? I assumed removing the ligthhouse projection and/or changing the Log Analytics workspace keys will stop these logs to come into my Sentinel, but this is not the case. So, even after removing the access and changing the keys the logs are still coming in.

2: Is there some documentation that explains how diagnostic settings works in the background? Again, my impression was that they are using the workspace id and key to forward these logs, but apparently this is not the case.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
922 questions
{count} votes