Forum Discussion

Jeff Walzer's avatar
Jeff Walzer
Iron Contributor
Mar 02, 2020
Solved

Sentinel across multi-region/workspaces

We have resource deployed in two regions, East US and Central US. We are using Central US as as zone pair to East US and with that was wondering if I need to create a log analytics workspace for the resources in Central US, and if so, how do I configure/associate Sentinel to both workspaces?

 

Thx  

  • Rod_Trent's avatar
    Rod_Trent
    Mar 02, 2020

    Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

     

    union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
    | where TimeGenerated >= ago(1h)
    | where UpdateState == "Needed"
    | summarize dcount(Computer) by Classification

     

    You can even save a query like this as a Function so you can just use the Function alias to use it.

     

    Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

     

    Reasons why you might want to use multiple workspaces:

    • Use of multiple Azure tenants
    • For compliance and sovereignty reasons
    • To reduce networking costs across regions

     

    Reasons to avoid multiple workspaces:

    • Separate billing
    • Fine grained retention settings
    • Fine grained access control
    • Legacy architecture

     

5 Replies

Sort By
  • Rod_Trent's avatar
    Rod_Trent
    Icon for Microsoft rankMicrosoft
    Mar 02, 2020

    Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

     

    union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
    | where TimeGenerated >= ago(1h)
    | where UpdateState == "Needed"
    | summarize dcount(Computer) by Classification

     

    You can even save a query like this as a Function so you can just use the Function alias to use it.

     

    Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

     

    Reasons why you might want to use multiple workspaces:

    • Use of multiple Azure tenants
    • For compliance and sovereignty reasons
    • To reduce networking costs across regions

     

    Reasons to avoid multiple workspaces:

    • Separate billing
    • Fine grained retention settings
    • Fine grained access control
    • Legacy architecture

     

    • Jeff Walzer's avatar
      Jeff Walzer
      Iron Contributor
      Mar 03, 2020

      Rod_Trent- thx for the reply and information.

       

      The reason I thought I would need multiple workspaces is because we have resources in different regions. Is it possible to have resources is one region forward metrics/events via the diagnostic and log analytics agent to another region (in my case resources in the Central region forwarding metrics/events to the East region)?

       

      Thx

Resources