|
| 1 | +--- |
| 2 | +title: Set up customer-managed keys in Azure Sentinel| Microsoft Docs |
| 3 | +description: Learn how to set up customer-managed keys (CMK) in Azure Sentinel. |
| 4 | +services: sentinel |
| 5 | +documentationcenter: na |
| 6 | +author: rkarlin |
| 7 | +manager: rkarlin |
| 8 | +editor: '' |
| 9 | + |
| 10 | +ms.service: azure-sentinel |
| 11 | +ms.subservice: azure-sentinel |
| 12 | +ms.devlang: na |
| 13 | +ms.topic: conceptual |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.workload: na |
| 16 | +ms.date: 01/30/2019 |
| 17 | +ms.author: rkarlin |
| 18 | + |
| 19 | +--- |
| 20 | +# Set up Azure Sentinel customer-managed key |
| 21 | + |
| 22 | +> [!NOTE] |
| 23 | +> CMK is currently a preview feature and is provided without a service level agreement. It is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
| 24 | +
|
| 25 | + |
| 26 | +This article provides background information and steps to configure a customer-managed key (CMK) for Azure Sentinel. CMK enables all data saved or sent to |
| 27 | +Azure Sentinel to be encrypted in all relevant storage resources with an Azure Key Vault key created or owned by you. |
| 28 | + |
| 29 | +> [!NOTE] |
| 30 | +> - The Azure Sentinel CMK capability is provided only to customers who are **new** and access to this capability is controlled by Azure feature registration. You can request access by contacting [email protected], and as capacity is available, pending requests will be approved. |
| 31 | +> - The Azure Sentinel CMK capability is only available in East US, West US 2, and South-Central US regions. |
| 32 | +> - The CMK capability is only available to customers sending 1TB per day or more. You will receive information about additional pricing when you apply |
| 33 | + to Microsoft to provision CMK on your Azure subscription. Learn more about [Log Analytics](../azure-monitor/platform/customer-managed-keys.md#disclaimers) charging. |
| 34 | + |
| 35 | +## How CMK works |
| 36 | + |
| 37 | +The Azure Sentinel solution uses a several storage resources for log collection and features, these include Log Analytics and other storage resources. As part |
| 38 | +of the Azure Sentinel CMK configuration, you will have to configure the CMK settings on the related storage resources as well. Data saved in storage |
| 39 | +resources other than Log Analytics will also be encrypted. |
| 40 | + |
| 41 | +> [!NOTE] |
| 42 | +> If you enable CMK on Azure Sentinel, any Public Preview feature that does not support CMK will not be enabled. |
| 43 | +
|
| 44 | +## Enable CMK |
| 45 | + |
| 46 | +To provision CMK, follow these steps: |
| 47 | + |
| 48 | +1. Create an Azure Key Vault and storing key. |
| 49 | + |
| 50 | +2. Enable CMK on your Log Analytics workspace. |
| 51 | + |
| 52 | +3. Register for Cosmos DB. |
| 53 | + |
| 54 | +4. Add an access policy to your Azure Key Vault instance. |
| 55 | + |
| 56 | +5. Enable CMK in Azure Sentinel. |
| 57 | + |
| 58 | +6. Enable Azure Sentinel. |
| 59 | + |
| 60 | +### STEP 1: Create an Azure Key Vault and storing key |
| 61 | + |
| 62 | +1. [Create Azure Key Vault resource](https://docs.microsoft.com/azure-stack/user/azure-stack-key-vault-manage-portal?view=azs-1910), |
| 63 | + then generate or import a key to be used for data encryption. |
| 64 | + > [!NOTE] |
| 65 | + > Azure Key Vault must be configured as recoverable to protect your key and the access. |
| 66 | +
|
| 67 | +1. [Turn on recovery options:](../key-vault/key-vault-best-practices.md#turn-on-recovery-options) |
| 68 | + |
| 69 | + - Make sure [Soft Delete](../key-vault/key-vault-ovw-soft-delete.md) is turned on. |
| 70 | + |
| 71 | + - Turn on [Purge protection](../key-vault/key-vault-ovw-soft-delete.md#purge-protection) to guard against forced deletion of the secret/vault even after soft delete. |
| 72 | + |
| 73 | +### STEP 2: Enable CMK on your Log Analytics workspace |
| 74 | + |
| 75 | +Follow the instructions in [Azure Monitor customer-managed key configuration](../azure-monitor/platform/customer-managed-keys.md) in order to create a CMK workspace that will be used as the Azure Sentinel workspace in the following steps. |
| 76 | + |
| 77 | +### STEP 3: Register for Cosmos DB |
| 78 | + |
| 79 | +Azure Sentinel works with Cosmos DB as an additional storage resource. Make sure to register to Cosmos DB. |
| 80 | + |
| 81 | +Follow the Cosmos DB instruction to [Register the Azure Cosmos DB](../cosmos-db/how-to-setup-cmk.md#register-resource-provider) resource provider for your Azure subscription. |
| 82 | + |
| 83 | +### STEP 4: Add an access policy to your Azure Key Vault instance |
| 84 | + |
| 85 | +Make sure to add access from Cosmos DB to your Azure Key Vault instance. Follow the Cosmos DB instruction to [add an access policy to your Azure Key Vault instance](../cosmos-db/how-to-setup-cmk.md#add-an-access-policy-to-your-azure-key-vault-instance) with Azure Cosmos DB principal. |
| 86 | + |
| 87 | +### STEP 5: Enable CMK in Azure Sentinel |
| 88 | + |
| 89 | +The Azure Sentinel CMK capability is provided to new customers only after receiving access directly from the Azure product group. Use your contacts at Microsoft to receive approval from the Azure Sentinel team to enable CMK in your solution. |
| 90 | + |
| 91 | +After you get approval, you will be asked to provide the following information to enable the CMK feature. |
| 92 | + |
| 93 | +- Workspace ID on which you want to enable CMK |
| 94 | + |
| 95 | +- Key Vault URL: Copy the key’s “Key Identifier” up to the last forward slash: |
| 96 | + |
| 97 | + |
| 98 | +  |
| 99 | + |
| 100 | + The Azure Sentinel team will enable the Azure Sentinel CMK feature for your |
| 101 | + provided workspace. |
| 102 | + |
| 103 | +- Verification from the Azure Sentinel product team that you were approved to use this feature. You must have this before proceeding. |
| 104 | + |
| 105 | +### STEP 6: Enable Azure Sentinel |
| 106 | + |
| 107 | + |
| 108 | +Go to the Azure portal and enable Azure Sentinel on the workspace on which you set up CMK. For more information, see [Azure Sentinel Onboarding](quickstart-onboard.md). |
| 109 | + |
| 110 | +## Key Encryption Key revocation or deletion |
| 111 | + |
| 112 | + |
| 113 | +In the event that a user revokes the key encryption key, either by deleting it or removing access for Azure Sentinel, within one hour, Azure Sentinel will |
| 114 | +honor the change and behave as if the data is no longer available. At this point, any operation performed that uses persistent storage resources such as |
| 115 | +data ingestion, persistent configuration changes, and incident creation, will be prevented. Previously stored data will not be deleted but will remain |
| 116 | +inaccessible. Inaccessible data is governed by the data-retention policy and will be purged in accordance with that policy. |
| 117 | + |
| 118 | +The only operation possible after the encryption key is revoked or deleted is account deletion. |
| 119 | + |
| 120 | +If access is restored after revocation, Azure Sentinel will restore access to the data within an hour. |
| 121 | + |
| 122 | +To understand more about how this works in Azure Monitor, see [Azure Monitor CMK revocation](../azure-monitor/platform/customer-managed-keys.md#cmk-kek-revocation). |
| 123 | + |
| 124 | +## Key encryption key rotation |
| 125 | + |
| 126 | + |
| 127 | +Azure Sentinel and Log Analytics support key rotation. When a user performs key rotation in Key Vault, Azure Sentinel supports the new key within an hour. |
| 128 | + |
| 129 | +In Key Vault, you can perform key rotation by creating a new version of the key: |
| 130 | + |
| 131 | + |
| 132 | + |
| 133 | +You can disable the previous version of the key after 24 hours, or after the Azure Key Vault audit logs no longer show any activity that uses the previous |
| 134 | +version. |
| 135 | + |
| 136 | +If you use the same key in Azure Sentinel and in Log Analytics, it is necessary to perform key rotation you must explicitly update the cluster resource in Log |
| 137 | +Analytics with the new Azure Key Vault key version. For more information, see [Azure Monitor CMK rotation](../azure-monitor/platform/customer-managed-keys.md#cmk-kek-rotation). |
| 138 | + |
| 139 | +## Next steps |
| 140 | +In this document, you learned how to set up a customer-managed key in Azure Sentinel. To learn more about Azure Sentinel, see the following articles: |
| 141 | +- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md). |
| 142 | +- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats.md). |
| 143 | +- [Use workbooks](tutorial-monitor-your-data.md) to monitor your data. |
| 144 | + |
0 commit comments