Forum Discussion
Forwarding Sentinel incidents to other Sentinel
Hi
Say I have multiple tenants and they have their Sentinels up and running and if I want them to forward the incidents from their Sentinels to my Sentinel to view all the incidents more easily rather than visiting each one of them, how this can be achieved?
Thanks
kostralian The easiest way would be to use Azure Lighthouse so that you can see all the incidents in one location. All the information would still stay in their own environment. Manage Microsoft Sentinel workspaces at scale - Azure Lighthouse | Microsoft Docs
If that does not work for you, there are a couple of options, none of them are that great. Keep in mind that if you do move the data from one MS Sentinel instance to another 1) You will have to pay the ingestion charges for putting the data into the new instance, even if it was free in the other instance 2) You will not be able to put the data into the same tables, only custom tables. This means you will have to modify all your rules to look at multiple tables.
If you do need to do this, I would also consider seeing if you can just send all the data directly into one MS Sentinel instance. That would save you a lot of headaches.
If that is not possible, you can use the Log Analytics data export feature (Log Analytics workspace data export in Azure Monitor (preview) - Azure Monitor | Microsoft Docs) and then you will need another program, probably a Logic App, to read the data from wherever that put it and put it into your Sentinel instance.
Another option would be to write a Logic App that will read all the new data in the tables you care about and write them into the other MS Sentinel instance.
Neither option is all that great so I would highly recommend pursuing the Azure Lighthouse route if at all possible.
