question

ShimKwan-8714 avatar image
0 Votes"
ShimKwan-8714 asked DavidBroggy-5270 commented

AIP and Sentinel Log Analytics



Hi,

Are there any best practices around Log Analytics when deploying both Azure Information Protection and MS Sentinel in the same tenant?

For example, should both automatically use the same Log Analytics space (to save costs)?

Otherwise if AIP has its own Log Analytics (and cost) and AIP data is then ingested into Sentinel (into its own Log Analytics), you will then be paying for the same data twice, as the same data will reside in both Log Analytics?


Thx

SK

azure-information-protection
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ShimKwan-8714

Thank you for reaching out to us.

This statement is not quite clear - Are there any best practices around Log Analytics when deploying both Azure Information Protection and MS Sentinel in the same tenant?

Microsoft Sentinel is built on top of a Log Analytics workspace. You'll notice that the first step in onboarding Microsoft Sentinel is to select the Log Analytics workspace you wish to use for that purpose. Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel.

For example, should both automatically use the same Log Analytics space (to save costs)? - Once the data is exported to Log analytics workspace ( LAW ), we can connect the LAW to Sentinel to review the data using the queries.

Best practices for Microsoft Sentinel - https://docs.microsoft.com/en-us/azure/sentinel/best-practices

If this doesnt answer/clarify your questions, we can connect offline and discuss the same.

0 Votes 0 ·

Hi @ShimKwan-8714
Your AIP event count will be very small compared to most other log sources so I'd suggest keeping the log analytics workspaces separate and just following the documented setup processes.
i.e. Any amount of duplication from connecting Sentinel will be nominal.
Does that help?

0 Votes 0 ·

0 Answers