question

JonIsbell-8384 avatar image
0 Votes"
JonIsbell-8384 asked ·

How to integrate SaaS with Sentinel

How would a SaaS vendor integrate their service with Azure Sentinel? ie the customer doesn't run/host any component of it.

Initially, I thought that they would be able to use the Azure Monitor HTTP Data Collector API but now I'm not so sure if this would be appropriate. I believe the documentation assumes (eg https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#rest-api-connectors) the customer is hosting the application/device. If the SaaS vendor makes the API calls on behalf of the customer then they would require the primary or secondary key for the customer's Sentinel workspace. This doesn't seem like a good idea - as it could give the SaaS vendor access to other data.

What is the best approach for integration in this case? Is it to create a connector which Microsoft hosts? Suggest the customer has a workspace dedicated to data for the service? Is there something similar to AWS IAM which I've missed? (shared access signature tokens seem close but it doesn't look like they can be used with Sentinel).

azure-sentinel
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered ·

@JonIsbell-8384
Thank you for your detailed post!

Azure Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. However, if you're a Managed Security Service Provider (MSSP), you can use Azure Lighthouse to extend Azure Sentinel cross-workspace capabilities across tenants.

https://docs.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
65966-image.png
For more info - https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants


If you aren't an MSSP and would like to implement this feature for non MSSP's, please feel free to leverage our Azure Sentinel GitHub page to submit a feature request.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (168.2 KiB)
· 1
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JonIsbell-8384
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·