Forum Discussion
Do we need multiple sentinel instances deployed??
Hi all,
Scenario 1
- Multiple Workspaces
- Under Same subscription
- Under Same tenant
I have been informed that Multiple workspaces under same subscription and same tenant DONOT need additional sentinel instances, we can add multiple Log analytics workspaces under one sentinel instance for the above scenario. We can use Incident View to see incidents from multiple log analytics workspace without having Sentinel installed on those Log analytics workspaces. (Not sure how the Analytics rules will be configured since multiple log analytics workspaces presently only support incident view and how will we configure data connectors and associated analytical rules for a specific Log Analytics workspace without sentinel instance). Please clarify?
Scenario 2
- Multiple Workspaces
- Under different subscription
- Under Same tenant
If there are multiple workspaces under different subscriptions and under same Tenant, do we still need to install multiple individual sentinel instances for each log analytics workspace, considering we have to onboard respective Data Connectors and Enable associated Analytical rules??
Appreciate the support.
Thanks
Fahad.
- For #1 you have to add a Workspace to Sentinel for it to see it, if you don't do that you wont be able to use the Incident View.
Data Connectors and Analytic rules are configured 'per workspace'. You have to navigate in Sentinel to the workspace you need to configure to add or amend a connector or analytic.
