You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/customer-managed-keys.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,22 +25,22 @@ This article provides background information and steps to configure a [customer-
25
25
26
26
## Considerations
27
27
28
-
- Onboarding a CMK workspace to Sentinel is supported only via REST API, and not via the Azure portal. Azure Resource Manager templates (ARM templates) currently aren't supported for CMK onboarding.
28
+
- Onboarding a CMK workspace to Microsoft Sentinel is supported only via REST API and the [Azure CLI](/cli/azure/sentinel/onboarding-state?view=azure-cli-latest#az-sentinel-onboarding-state-create), and not via the Azure portal. Azure Resource Manager templates (ARM templates) currently aren't supported for CMK onboarding.
29
29
30
-
-The Microsoft Sentinel CMK capability is provided only to *workspaces in Log Analytics dedicated clusters* that have *not already been onboarded to Microsoft Sentinel*.
30
+
-In the following cases, ingested workspace data and logs are encrypted with CMK, while other Microsoft Sentinel data, including security content like analytics rules, but also analytics rules, alerts, incidents, and more, are encrypted with Microsoft-managed keys:
31
31
32
-
- The following CMK-related changes *are not supported* because they are ineffective (Microsoft Sentinel data continues is encrypted only by the Microsoft-managed key, and not by the CMK):
33
-
34
-
- Enabling CMK on a workspace that's *already onboarded* to Microsoft Sentinel.
35
-
- Enabling CMK on a cluster that contains Sentinel-onboarded workspaces.
36
-
- Linking a Sentinel-onboarded non-CMK workspace to a CMK-enabled cluster.
32
+
- Enabling CMK on a workspace that's already onboarded to Microsoft Sentinel.
33
+
- Enabling CMK on a cluster that contains Microsoft Sentinel-enabled workspaces.
34
+
- Linking a Microsoft Sentinel-enabled, non-CMK workspace to a CMK-enabled cluster.
37
35
38
36
- The following CMK-related changes *are not supported* because they may lead to undefined and problematic behavior:
39
37
40
38
- Disabling CMK on a workspace already onboarded to Microsoft Sentinel.
41
39
- Setting a Sentinel-onboarded, CMK-enabled workspace as a non-CMK workspace by unlinking it from its CMK-enabled dedicated cluster.
42
40
- Disabling CMK on a CMK-enabled Log Analytics dedicated cluster.
43
41
42
+
- Microsoft Sentinel is available in the Defender portal, including for customers without Microsoft Defender XDR or an E5 license. After onboarding your workspace to Defender, ingested workspace data/logs remain encrypted with CMK. Other data isn't encrypted with CMK and uses a Microsoft-managed key.
43
+
44
44
- Microsoft Sentinel supports System Assigned Identities in CMK configuration. Therefore, the dedicated Log Analytics cluster's identity should be of **System Assigned** type. We recommend that you use the identity that's automatically assigned to the Log Analytics cluster when it's created.
45
45
46
46
- Changing the customer-managed key to another key (with another URI) currently *isn't supported*. You should change the key by [rotating it](/azure/azure-monitor/logs/customer-managed-keys#key-rotation).
0 commit comments