Forum Discussion
Multiple Log analytic workspace and rules
cklonger You would need to trigger the rules in each workspace as the rules can only work in one workspace for the most part. You can then use Azure Lighthouse to view the incidents from all your workspaces in one view. Take a look at this page to get you started:
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces
Microsoftcklonger : GaryBushey's answer is the best practice. However:
- It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce.
- You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules.
Ofer_Shezaf Correct. I should have specified to use multiple workspaces when using different regions (taking into account the egress charges vs complexity of having multiple environments). Thanks for pointing that out.
Here is a link to a best practices posting (although some of the information is out of date)