Forum Discussion

Arjan Veen, van's avatar
Arjan Veen, van
Brass Contributor
Jun 30, 2022
Solved

Log Analytics design - Defender for Cloud and Sentinel

All,   When you have Defender for Cloud and Sentinel.....do you still use 2 log analytics workspaces or do you reconfigure the defender for cloud log analytics workspace to ingest the defender for ...
  • Chandrasekhar_Arya's avatar
    Chandrasekhar_Arya
    Sep 26, 2022

    Arjan Veen, van one log analytics is good enough to you can forward the ASC(Azure security center/Defender alerts to  Sentinel . 

    Refer the below picture reference to one of the Microsoft source where it shows one log analytics is good enough for both Azure and On-prem 

    ā€ƒ

PatriotJeff's avatar
PatriotJeff
Copper Contributor
Oct 18, 2022

Arjan Veen, van , it depends šŸ˜‰.  Don't assume you can share a common LAW.  There are many factors to consider, such as ingestion of more than 100 GB/day, access control to the LAW, data sovereignty/geographic requirements, etc.  There is a decent decision tree at https://learn.microsoft.com/en-us/azure/sentinel/design-your-workspace-architecture#decision-tree