Forum Discussion
Multiple Log analytic workspace and rules
Good morning: I am a newbie of Azure Sentinel. Our env has setup multiple subscriptions and Log analytic workspaces for different productions. I would like to trigger some rules (from template...
Ofer_Shezaf
Microsoft
Microsoftcklonger : GaryBushey's answer is the best practice. However:
- It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce.
- You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules.
Ofer_Shezaf Correct. I should have specified to use multiple workspaces when using different regions (taking into account the egress charges vs complexity of having multiple environments). Thanks for pointing that out.
Here is a link to a best practices posting (although some of the information is out of date)
