Monitor security incidents in one place

Question

Hi guys,&nbsp;I work into a company that was a tenant and multiple subscription in Azure.The tenant is managed at the group level, so i don't have access to that.Instead i have access to all subscriptions. All the subscription has Microsoft Windows Defender for Cloud Basic (Azure Security Center Free) enable.In one of the subscriptions, we managed to enable a Azure Sentinel.The question is, how can we get the security incidents from other subscriptions to Sentinel?What we tried, we install the Log Analytics Agent from where the Sentinel is installed, to the all VM's from that subscriptions. Right now, we don't know if it's the right direction.Can someone have another idea?&nbsp;Thank you!&nbsp;&nbsp;&nbsp;

trevor_rusher · Answer

ctodoran&nbsp;
&nbsp;
So the question will be to which LA Workspace these LA Agents are pointing to?
&nbsp;
Also please refer to this for multi-workspace support for Azure Sentinel:
Work with Microsoft Sentinel incidents in many workspaces at once | Microsoft Docs
&nbsp;
Also check the important section: Information for Microsoft Sentinel users in this article:
Auto-deploy agents for Microsoft Defender for Cloud | Microsoft Docs

ctodoran · Answer

Hi Trevor, i just want to thank you that you take your time and replay to my discussion.
The question was, i am going into the right direction if i am installing the Log Analytics Agent (OMS Agent) from where Sentinel is deployed ? Or do i need to take in consideration other options. Thanks!

Forum Discussion

Monitor security incidents in one place

2 Replies

Resources