Forum Discussion
Brownfield Sentinel implementation
Or is that what you mean by avoid multi-homing?
m_zorich Yes, I think that is what I mean by avoiding multihoming.
Ideally we would have one workspace for everything (with proper resourcebased or table level acces) but that would incur extra ingestion costs into Sentinel. Also, not all data has the same retention requirements. That would extend our current situation when we would deploy Sentinel on top of the existing OMI workspace.
On the other hand we are trying to find a good way to get only the necessary data into Sentinel, whilst not breaking anything of the current reporting and monitoring.
Preferably not by mutltihoming clients (and not all paas and saas services can even do that), but in some other way. But maybe in a way to select data from the existing workspace into a new one, use the log analytics workspace dataexport functionality, or some other means.
And, as I mentioned in another reply, maybe first thoroughly analyse what is going into the OMI workspace right now, and maybe we can separate at the source in other ways. E.g. when a VM is onboarded in Defender for Endpoint, should it still log to OMI, or is it sufficient to just connect DfE to Sentinel?