Forum Discussion
LAW Architecture for Security Center
There are two options how to set up the LAWs for the Security Center. By default, when onboarding the subscription in the Security Center, a separate LAW is created for each subscription. Microsoft a...
StanislavBelov
Microsoft
MicrosoftHi Sebastian,
Although there is no one-size-fit-all advice in this case (every org is different with different requirements, policies and limitations, e.g. GDPR, when it comes to data collection and storage), there are some considerations you would need to take into account when deciding their strategy for ASC logs:
https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Most companies we work with end up using as few workspaces as possible in order to be able to easier query and correlate data. Please also keep in mind, you can enable Azure Sentinel (if you decided to use it as your SIEM solution) on the default workspace ASC creates. Let me know if you have any further questions.
Although there is no one-size-fit-all advice in this case (every org is different with different requirements, policies and limitations, e.g. GDPR, when it comes to data collection and storage), there are some considerations you would need to take into account when deciding their strategy for ASC logs:
https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Most companies we work with end up using as few workspaces as possible in order to be able to easier query and correlate data. Please also keep in mind, you can enable Azure Sentinel (if you decided to use it as your SIEM solution) on the default workspace ASC creates. Let me know if you have any further questions.