Multiple Log analytic workspace and rules

Question

Good morning:&nbsp;I am a newbie of Azure Sentinel.Our env has setup multiple subscriptions and&nbsp;Log analytic workspaces for different productions.&nbsp;I would like to trigger some rules (from template) in Log analytic workspaces to monitor all our productions. Should I setup rules in every&nbsp;Log analytic workspace or only one of them ? To view all incidents in one workbook, should I forward the logs from different resources (different subscriptions) to one special&nbsp;Log analytic workspaces?&nbsp;

garybushey · Answer

cklonger&nbsp;You would need to trigger the rules in each workspace as the rules can only work in one workspace for the most part.&nbsp; &nbsp;You can then use Azure Lighthouse to view the incidents from all your workspaces in one view.&nbsp; Take a look at this page to get you started:&nbsp;https://docs.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces

ofer_shezaf · Answer

cklonger&nbsp;:&nbsp;GaryBushey's answer is the best practice. However:
- It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce.
- You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules.&nbsp;

garybushey · Answer

Ofer_Shezaf&nbsp;Correct.&nbsp; I should have specified to use multiple workspaces when using different regions (taking into account the egress charges vs complexity of having multiple environments).&nbsp; Thanks for pointing that out.&nbsp;Here is a link to a best practices posting (although some of the information is out of date)&nbsp;https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574

Forum Discussion

Multiple Log analytic workspace and rules

Share

Resources