Forum Discussion

msmotto21's avatar
msmotto21
Tin Contributor
Aug 24, 2021

LAW Architecture for Security Center

There are two options how to set up the LAWs for the Security Center. By default, when onboarding the subscription in the Security Center, a separate LAW is created for each subscription. Microsoft also allows you to define your own (central) LAW.
Which option should be considered considering to have security logs and monitoring/performance logs? What is the difference? Can I give a Log Analytic Agent two different destinations (one for ASC Security Logs and one for Azure Monitor Logs)?

4 Replies

  • Hi msmotto,

    From an enterprise architecture perspective, I've generally seen organizations standardize on a small number of centralized Log Analytics Workspaces rather than creating one workspace per subscription. Centralizing logs simplifies cross-subscription investigations, enables better correlation for Microsoft Sentinel, reduces operational overhead, and provides more consistent governance through RBAC, retention policies, and cost management.

    That said, there are valid reasons to use separate workspaces, for example, regulatory requirements, data residency, business unit isolation, or delegated administration. Regarding sending data to multiple destinations, with the legacy Log Analytics Agent (MMA) there were limitations around multiple workspaces depending on the data type. Today, the recommended approach is to use the Azure Monitor Agent (AMA) together with Data Collection Rules (DCRs), which provides much greater flexibility in controlling what data is collected and where it's sent.

    My recommendation would be to design the workspace architecture around operational and governance requirements, not subscription boundaries. In most enterprise environments, fewer well-governed workspaces tend to be easier to manage while still supporting security monitoring, compliance, and centralized analytics.

  • ellahughes's avatar
    ellahughes
    Copper Contributor

    The security-focused design ideas shared here are practical, especially when planning spaces that need controlled access and long-term flexibility. I also found https://pimacountyassessor.org useful for checking property related details before evaluating building locations or site planning. Combining reliable property data with thoughtful architectural planning can make security decisions much more effective. Thanks for sharing such an informative perspective.

  • monitaanderson's avatar
    monitaanderson
    Copper Contributor

    Interesting concept and security centers need architecture that supports both safety and efficient operations. I’ve also found that reviewing https://shastacountycourt.org can be helpful when learning how legal processes and official records connect with security planning. Thanks for sharing this perspective and it raises some thoughtful points about modern facility design.

  • Hi Sebastian,
    Although there is no one-size-fit-all advice in this case (every org is different with different requirements, policies and limitations, e.g. GDPR, when it comes to data collection and storage), there are some considerations you would need to take into account when deciding their strategy for ASC logs:
    https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents
    https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
    Most companies we work with end up using as few workspaces as possible in order to be able to easier query and correlate data. Please also keep in mind, you can enable Azure Sentinel (if you decided to use it as your SIEM solution) on the default workspace ASC creates. Let me know if you have any further questions.