Forum Discussion

E_Black1994's avatar
E_Black1994
Copper Contributor
Apr 20, 2021

Azure Sentinel Instances per Subscription

Hello all,    This will be my first post here!    At present we have implemented 5 instances of Azure Sentinel per the 5 subscriptions of our 1 Azure Tenancy. After doing some research it seems t...
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Apr 20, 2021

E_Black1994 Yep, you've hit on the right method. In those situations where it is possible, you should always attempt to utilize one single Log Analytics workspace for Azure Sentinel. This it makes it easier to manage from a number of angles including eliminating separate billing, enabling fine grained retention settings, and fine grained access control. 

 

Multiple workspaces should be considered in cases where you have multiple Azure tenants, where data needs to be stored in specific regions due to compliance and sovereignty, a few others.

  • E_Black1994's avatar
    E_Black1994
    Copper Contributor
    Apr 20, 2021
    Rod_Trent
    Brilliant, glad to hear that i'm onto the right solution, is there any written documentation to enforce this method? Thanks for coming back to me.

    Also would it wise to use only the Log Analytics workspace attached to Azure Sentinel exclusively for Sentinel or can you pump other logs from other Azure resources into the same space and it not matter? I'd assume it would be better to keep them purely aligned to Sentinel to assist with billing etc?
    • Rod_Trent's avatar
      Rod_Trent
      Icon for Microsoft rankMicrosoft
      Apr 20, 2021
      Best practice is to only send Sentinel-related data into the Log Analytics workspace. Otherwise, you are paying Sentinel costs for data you're not using for security purposes.

Resources