How to integrate SaaS with Sentinel

Jon Isbell 1 Reputation point
2021-02-09T10:47:26.58+00:00

How would a SaaS vendor integrate their service with Azure Sentinel? ie the customer doesn't run/host any component of it.

Initially, I thought that they would be able to use the Azure Monitor HTTP Data Collector API but now I'm not so sure if this would be appropriate. I believe the documentation assumes (eg https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#rest-api-connectors) the customer is hosting the application/device. If the SaaS vendor makes the API calls on behalf of the customer then they would require the primary or secondary key for the customer's Sentinel workspace. This doesn't seem like a good idea - as it could give the SaaS vendor access to other data.

What is the best approach for integration in this case? Is it to create a connector which Microsoft hosts? Suggest the customer has a workspace dedicated to data for the service? Is there something similar to AWS IAM which I've missed? (shared access signature tokens seem close but it doesn't look like they can be used with Sentinel).

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,622 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,376 Reputation points Microsoft Employee
    2021-02-09T21:45:57.17+00:00

    @Jon Isbell
    Thank you for your detailed post!

    Azure Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. However, if you're a Managed Security Service Provider (MSSP), you can use Azure Lighthouse to extend Azure Sentinel cross-workspace capabilities across tenants.

    https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
    65966-image.png
    For more info - https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

    If you aren't an MSSP and would like to implement this feature for non MSSP's, please feel free to leverage our Azure Sentinel GitHub page to submit a feature request.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.