Forum Discussion
Log Analytics design - Defender for Cloud and Sentinel
All,
When you have Defender for Cloud and Sentinel.....do you still use 2 log analytics workspaces or do you reconfigure the defender for cloud log analytics workspace to ingest the defender for cloud events also into the sentinel workspace also?
best regards
Arjan
Arjan Veen, van one log analytics is good enough to you can forward the ASC(Azure security center/Defender alerts to Sentinel .
Refer the below picture reference to one of the Microsoft source where it shows one log analytics is good enough for both Azure and On-prem
 
7 Replies
Arjan Veen, van , it depends 😉. Don't assume you can share a common LAW. There are many factors to consider, such as ingestion of more than 100 GB/day, access control to the LAW, data sovereignty/geographic requirements, etc. There is a decent decision tree at https://learn.microsoft.com/en-us/azure/sentinel/design-your-workspace-architecture#decision-tree
Arjan Veen, van one log analytics is good enough to you can forward the ASC(Azure security center/Defender alerts to Sentinel .
Refer the below picture reference to one of the Microsoft source where it shows one log analytics is good enough for both Azure and On-prem
 
- They can happily share a workspace. There are lots of options, but typically I see one workspace.
ellyseMicrosoft
Hi Clive, do you know if there's any guidance or steps on how this can be set up?- Hello,
browse to defender for cloud - Environment settings - Auto provisioning - Extensions -Log Analytics agent/Azure Monitor agent - Edit Auto-provisioning configuration - Workspace selection and select the Sentinel workspace
