Forum Discussion
Limit to one log analytics workspace?
Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment
If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed? However there could be a legitimate business need for extra workspaces? The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need.
You'd often need a workspace for evaluation and testing, maybe that's what has been created? Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574
Thanks
Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment
If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed? However there could be a legitimate business need for extra workspaces? The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need.
You'd often need a workspace for evaluation and testing, maybe that's what has been created? Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574
Thanks
