In the past few months I’ve spoken with multiple Microsoft employees and even Microsoft MVPs that don’t understand Azure Sentinel, Azure Security Center, Azure Monitor and Log Analytics and whats the difference. There seems to be some confusion around these products and how they are used together. I recently put together a diagram for a potential client that outlines the products. So I figured I would share and overview of Azure Monitor, Security Center and Sentinel here along with overview of each service.
reach out to me if you would like this visio diagram.
Disclaimer: this is an overview of all these solutions. One could and some have, write entire books in depth on each of these solutions. This post is aimed to provide a general overview of each product.
Log Analytics – The Backbone
If you’re a first time reader of my blog, Log Analytics and Azure Monitor is what I do. Log Analytics used to be called Operations Management Suite (OMS) and was summarily renamed to just Log Analytics. Then at Ignite 2018 Log Analytics and Application Insights were rolled up as services inside Azure Monitor.
Log Analytics is a logging tool. It provides logging at cloud-scale. Its extremely fast, versatile and provides you the ability to examine and correlate hundreds of thousands or millions of logs in seconds. Log analytics is the backbone used by Azure Monitor, Azure Security Center and Azure Sentinel.
Within Azure Monitor, Log Analytics is you’re infrastructure monitoring solution. Windows and Linux data is sent there from an agent, whether that machine lives in the cloud, any cloud, or your on prem data center. Your Azure Resources send their diagnostic logs and can send their Metrics to a workspace. Though you don’t need to send Metrics to a workspace to create alerts or visualizations.
Log Analytics has “Solutions.” Solutions act as an enabler of either data collection of a certain type or Azure Monitor Workbooks and other visualizations. For instance you cannot monitor Windows Services without the Azure Automation Change Tracking Solution being linked to your workspace. While Azure Security Center and Azure Sentinel at their base level install as Solutions on top of a Log Analytics workspace. I would expect solutions to change as the monitoring model in Azure has changed. The original solutions for instance are limited to a single workspace and therefore subscription.
My current recommendation for management and deployment of Log Analytics workspaces in general is to use a prod, non prod workspace and more as needed. Unless you have a completely different operating model, like a DevOps model.
Application Insights is your Application Performance Monitoring tool. It provides End to End tracing, performance, response time and more for your applications. These applications can be in App Services, Azure Functions or on-prem or in IaaS VMs.
For all intents and purposes, AppInsights is the same thing as Log Analytics just with different tables. The Kusto language originated in AppInsights and was later brought to Log Analytics and a whole bunch of other tools.
The plan is to integrate AppInsights with Log Analytics, according to this unrelated doc here, where this plan is highlighted. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/customer-managed-keys
As mentioned above, you can create alerts for Azure Resource Metrics without sending them to a Log Analytics workspace. But everything else is going through Log Analytics and Application Insight workspaces, which roll up to Azure Monitor. Alerting, Action Groups, Action Rules all live within Azure Monitor. As do Azure Monitor Workbooks. Both AppInsights and Log Analytics use the same language, Kusto Query Language (KQL).
Within Azure Monitor we can trigger automated responses in Azure Functions, Logic Apps and Azure Automation Runbooks. We can do this for both Azure Resource Metrics Alerts as well as Log Search alerts from Application Insights or Log Analytics. We can also fire webhooks as well as integrate with ITSM tools like Service Now, Service Manager, Cherwell and Provance.
How to think of Azure Monitor
Azure Monitor is your Operations monitoring from VMs applications and networking to cloud native resources and applications.
The Azure Monitor documentation, including AppInsights and LogAnalytics are here https://docs.microsoft.com/en-us/azure/azure-monitor/
Azure Security Center
Azure Security Center is a security management system. It provides threat analysis and prevention by assessing your environment and providing security recommendations. It also provides compliance audits for your Azure resources. Azure Security Center is built on top of Log Analytics. It acts as a solution that you “install” into a Log Analytics workspace. It also uses the Log Analytics agent to provide security for your cloud and on-prem based VMs.
Security Center has integrations with both Azure Monitor and Azure Sentinel.
How to think of Azure Security Center
Think of Azure Security Center as providing you preventative security measures across your environment.
You can read the Azure Security Center docs here https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
Azure Sentinel is a cloud-native Security, Information, Event, Management system, commonly shortened to SIEM. It also provides Security Orchestration Automated Response (SOAR) integrations. Namely Logic Apps, however in Sentinel they’re call Playbooks. Azure Sentinel uses the power of Log Analytics to do proactive threat visibility, threat hunting, response and uses Machine Learning to minimize false positives and provide intelligence around threat hunting.
Because its built on top of Log Analytics, all your Azure Resources can natively send their data to it, including on-prem or cloud based Windows and Linux VMs and Syslog. An additional data collection feature that it provides over native Log Analytics is the ability to ingest Common Event Format (CEF) logs. In the security world many tools put out CEF signals which allows Azure Sentinel to ingest them. Additionally you can integrate Microsoft ATP with Azure Sentinel.
Sentinel installs as the “SecurityInsights” solution on the workspace that you select.
All tables and data you ingest into Log Analytics are available to you in Sentinel. Including Custom Logs.
Unfortunately im told for technical reasons the Sentinel team chose to create their own alerting mechanisms, so there is no direct integration with Azure Monitor like there is for Azure Security Center. However you could write your own log queries and use them in both Sentinel alerts and Azure Monitor alerts.
Azure Security Center integrates with Sentinel providing Sentinel with security recommendations, alerts and analytics. When integrated together they operate in a better together scenario.
How to think of Azure Sentinel
Its your SIEM. If you don’t have a SIEM and need a SIEM, I would highly recommend giving Sentinel a go. Log Analytics is extremely powerful and Kusto is easy and intuitive to learn.
Azure Sentinel documentation can be found here. https://docs.microsoft.com/en-us/azure/sentinel/
Log Analytics is the backbone to monitoring and security in Azure. As you can see from my diagram above its theoretically possible to have one workspace that has all of your operational and security logs in one spot. And soon application logs as well. With table level RBAC, you can also control who has access to certain tables. As to whether it makes sense to use one workspace for everything there are other considerations like prod, non prod, and costs to consider.