Set up Microsoft Sentinel customer-managed key

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

This article provides background information and steps to configure a customer-managed key (CMK) for Microsoft Sentinel. CMK allows you to give all data stored in Microsoft Sentinel - already encrypted by Microsoft in all relevant storage resources - an extra layer of protection with an encryption key created and owned by you and stored in your Azure Key Vault.

Prerequisites

  • The CMK capability requires a Log Analytics dedicated cluster with at least a 500 GB/day commitment tier. Multiple workspaces can be linked to the same dedicated cluster, and they will share the same customer-managed key.

  • After you complete the steps in this guide and before you use the workspace, for onboarding confirmation, contact the Microsoft Sentinel Product Group.

  • Learn about Log Analytics Dedicated Cluster Pricing.

Considerations

  • Onboarding a CMK workspace to Sentinel is supported only via REST API, and not via the Azure portal. Azure Resource Manager templates (ARM templates) currently aren't supported for CMK onboarding.

  • The Microsoft Sentinel CMK capability is provided only to workspaces in Log Analytics dedicated clusters that have not already been onboarded to Microsoft Sentinel.

  • The following CMK-related changes are not supported because they will be ineffective (Microsoft Sentinel data will continue to be encrypted only by the Microsoft-managed key, and not by the CMK):

    • Enabling CMK on a workspace that's already onboarded to Microsoft Sentinel.
    • Enabling CMK on a cluster that contains Sentinel-onboarded workspaces.
    • Linking a Sentinel-onboarded non-CMK workspace to a CMK-enabled cluster.
  • The following CMK-related changes are not supported because they may lead to undefined and problematic behavior:

    • Disabling CMK on a workspace already onboarded to Microsoft Sentinel.
    • Setting a Sentinel-onboarded, CMK-enabled workspace as a non-CMK workspace by de-linking it from its CMK-enabled dedicated cluster.
    • Disabling CMK on a CMK-enabled Log Analytics dedicated cluster.
  • Microsoft Sentinel supports System Assigned Identities in CMK configuration. Therefore, the dedicated Log Analytics cluster's identity should be of System Assigned type. We recommend that you use the identity that's automatically assigned to the Log Analytics cluster when it's created.

  • Changing the customer-managed key to another key (with another URI) currently isn't supported. You should change the key by rotating it.

  • Before you make any CMK changes to a production workspace or to a Log Analytics cluster, contact the Microsoft Sentinel Product Group.

How CMK works

The Microsoft Sentinel solution uses several storage resources for log collection and features, including a Log Analytics dedicated cluster. As part of the Microsoft Sentinel CMK configuration, you will have to configure the CMK settings on the related Log Analytics dedicated cluster. Data saved by Microsoft Sentinel in storage resources other than Log Analytics will also be encrypted using the customer-managed key configured for the dedicated Log Analytics cluster.

See the following additional relevant documentation:

Note

If you enable CMK on Microsoft Sentinel, any Public Preview feature that does not support CMK will not be enabled.

Enable CMK

To provision CMK, follow these steps: 

  1. Create an Azure Key Vault and generate or import a key.

  2. Enable CMK on your Log Analytics workspace.

  3. Register to the Azure Cosmos DB Resource Provider.

  4. Add an access policy to your Azure Key Vault instance.

  5. Onboard the workspace to Microsoft Sentinel via the Onboarding API.

STEP 1: Create an Azure Key Vault and generate or import a key

  1. Create Azure Key Vault resource, then generate or import a key to be used for data encryption.

    Note

    Azure Key Vault must be configured as recoverable to protect your key and the access.

  2. Turn on recovery options:

    • Make sure Soft Delete is turned on.

    • Turn on Purge protection to guard against forced deletion of the secret/vault even after soft delete.

STEP 2: Enable CMK on your Log Analytics workspace

Follow the instructions in Azure Monitor customer-managed key configuration in order to create a CMK workspace that will be used as the Microsoft Sentinel workspace in the following steps.

STEP 3: Register to the Azure Cosmos DB Resource Provider

Microsoft Sentinel works with Azure Cosmos DB as an additional storage resource. Make sure to register to the Azure Cosmos DB Resource Provider.

Follow the instructions to Register the Azure Cosmos DB Resource Provider for your Azure subscription.

STEP 4: Add an access policy to your Azure Key Vault instance

Make sure to add access from Azure Cosmos DB to your Azure Key Vault instance. Follow the Azure Cosmos DB instructions to add an access policy to your Azure Key Vault instance with an Azure Cosmos DB principal.

STEP 5: Onboard the workspace to Microsoft Sentinel via the onboarding API

Onboard the workspace to Microsoft Sentinel via the Onboarding API.

Key Encryption Key revocation or deletion

In the event that a user revokes the key encryption key (the CMK), either by deleting it or removing access for the dedicated cluster and Azure Cosmos DB Resource Provider, Microsoft Sentinel will honor the change and behave as if the data is no longer available, within one hour. At this point, any operation that uses persistent storage resources such as data ingestion, persistent configuration changes, and incident creation, will be prevented. Previously stored data will not be deleted but will remain inaccessible. Inaccessible data is governed by the data-retention policy and will be purged in accordance with that policy.

The only operation possible after the encryption key is revoked or deleted is account deletion.

If access is restored after revocation, Microsoft Sentinel will restore access to the data within an hour.

Access to the data can be revoked by disabling the customer-managed key in the key vault, or deleting the access policy to the key, for both the dedicated Log Analytics cluster and Azure Cosmos DB. Revoking access by removing the key from the dedicated Log Analytics cluster, or by removing the identity associated with the dedicated Log Analytics cluster is not supported.

To understand more about how this works in Azure Monitor, see Azure Monitor CMK revocation.

Customer-managed key rotation

Microsoft Sentinel and Log Analytics support key rotation. When a user performs key rotation in Key Vault, Microsoft Sentinel supports the new key within an hour.

In Key Vault, you can perform key rotation by creating a new version of the key:

key rotation

You can disable the previous version of the key after 24 hours, or after the Azure Key Vault audit logs no longer show any activity that uses the previous version.

After rotating a key, you must explicitly update the dedicated Log Analytics cluster resource in Log Analytics with the new Azure Key Vault key version. For more information, see Azure Monitor CMK rotation.

Replacing a customer-managed key

Microsoft Sentinel does not support replacing a customer-managed key. You should use the key rotation capability instead.

Next steps

In this document, you learned how to set up a customer-managed key in Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: