Forum Discussion
Sending logs from one tenant to a different tenant Sentinel instance
pavankemi While you can send the data from one tenant to another, keep in mind that a lot of the data will not be useful as you will loose a lot of the reference data (for instance, user GUIDs) and the vast majority of the data will need to be put into custom tables as you cannot add your own data to Azure Sentinel's tables.
With that being said, once the data is in an Event Hub, you can write a Logic App to process the data and write it to the Logic App in the new tenant. Connect to Azure Event Hubs - Azure Logic Apps | Microsoft Docs. There is an Azure Monitor Send Data connector to write to a Log Analytics Workspace.
pavankemi That would be because I told you the wrong connector name. Sorry. It is actually the "Azure Log Analytics Data Collector" connector that you want to use.
- Ofer_Shezaf
Microsoft
- I would use Azure functions and not Logic Apps, as Logic Apps cost may become prohibitive.
- It is not a simple project. We have customers doing that, but there is an inherent effort both in the custom connectors and modifying queries to work with it. Also, with custom connectors free sources are no longer free.
To try to best help: why do you need to move all data to a central tenant?
- Ofer_Shezaf
Thank you for the response. Customer has multiple tenants which are owned by Customer but one tenant is being managed by the vendor. Customer needs logs from the vendor managed tenant and send it to their Tenant to centrally monitor. In short, customer has few contractual obligations with the vendor and cannot deploy Lighthouse and wanted to go with logs forwarding from Tenant 1 to Tenant 2
