Forum Discussion
Sending logs from one tenant to a different tenant Sentinel instance
pavankemi While you can send the data from one tenant to another, keep in mind that a lot of the data will not be useful as you will loose a lot of the reference data (for instance, user GUIDs) and the vast majority of the data will need to be put into custom tables as you cannot add your own data to Azure Sentinel's tables.
With that being said, once the data is in an Event Hub, you can write a Logic App to process the data and write it to the Logic App in the new tenant. Connect to Azure Event Hubs - Azure Logic Apps | Microsoft Docs. There is an Azure Monitor Send Data connector to write to a Log Analytics Workspace.
Thanks Gary for the quick response. What approach we can follow so that we can forward the data without losing any reference data.
3rd party SIEM solutions use eventhubs to get the data from the Azure. We are trying to perform the similar exercise but in this case we are sending to Sentinel. What changes between 3rd party SIEM solutions and Sentinel.
pavankemi I doubt 3rd party SIEMs would do any better unless they download the information from Azure AD as well (for my example). I think the biggest issue will be writing/modifying all the queries to look at the new tables.