The future of Sentinel in ALZ (follow on from 29th January 2025 Community Call)

[jtracey93]

As you have heard or seen in the community call on 29th January 2025 we are considering the future of Sentinel in ALZ and whether we need to change the architecture or not.

We are looking for your input on what your are doing or seeing in the wild today, to help shape the changes to ALZ (if required) so it is based on real-world deployments 👍

Questions to answer (we want to hear from you 🫵 - reply in the comments below)

1. Do we need a separate LAW dedicated to Sentinel?
   1. We think so, mainly due to platform logs increasing costs and causing noise from required security logs
      1. Even though this will lead to some double logging into both LAWs (Platform + Sentinel)
   2. Often organizations have separate Security teams requesting/driving for this
   3. Product Group guidance leans to single workspace by default, see here.
2. Do we need a separate “Security” platform Subscription?
   1. Can it not just live in Management?
3. Does this need to be in a separate “Security” Management Group?
   1. Could it just live inside of Platform > Management?
      1. Does it need to be somewhere else?
   2. RBAC is suggested to be done at Subscription scope, not MG.
      1. MGs are primarily for policy assignments
4. Should ALZ deploy anything Sentinel related? Or should we just just provide placement guidance and platform pre-reqs?
   1. e.g. Should we just deploy and move a subscription to a management group that ALZ creates?
   2. This then allows security teams to deploy and mange sentinel however they wish
      1. Also, they then work with the ALZ/Platform team to get any additional RBAC and policy assignments created as they see fit?
   3. Or should ALZ deploy Sentinel All-In-One Accelerator, or just provide guidance and link to it?