Forum Discussion

Jeff Walzer's avatar
Jeff Walzer
Iron Contributor
Mar 02, 2020
Solved

Sentinel across multi-region/workspaces

We have resource deployed in two regions, East US and Central US. We are using Central US as as zone pair to East US and with that was wondering if I need to create a log analytics workspace for the ...
  • Rod_Trent's avatar
    Rod_Trent
    Mar 02, 2020

    Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

     

    union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
    | where TimeGenerated >= ago(1h)
    | where UpdateState == "Needed"
    | summarize dcount(Computer) by Classification

     

    You can even save a query like this as a Function so you can just use the Function alias to use it.

     

    Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

     

    Reasons why you might want to use multiple workspaces:

    • Use of multiple Azure tenants
    • For compliance and sovereignty reasons
    • To reduce networking costs across regions

     

    Reasons to avoid multiple workspaces:

    • Separate billing
    • Fine grained retention settings
    • Fine grained access control
    • Legacy architecture

     

Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Mar 02, 2020

Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

 

union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
| where TimeGenerated >= ago(1h)
| where UpdateState == "Needed"
| summarize dcount(Computer) by Classification

 

You can even save a query like this as a Function so you can just use the Function alias to use it.

 

Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

 

Reasons why you might want to use multiple workspaces:

  • Use of multiple Azure tenants
  • For compliance and sovereignty reasons
  • To reduce networking costs across regions

 

Reasons to avoid multiple workspaces:

  • Separate billing
  • Fine grained retention settings
  • Fine grained access control
  • Legacy architecture

 

Jeff Walzer's avatar
Jeff Walzer
Iron Contributor
Mar 03, 2020

Rod_Trent- thx for the reply and information.

 

The reason I thought I would need multiple workspaces is because we have resources in different regions. Is it possible to have resources is one region forward metrics/events via the diagnostic and log analytics agent to another region (in my case resources in the Central region forwarding metrics/events to the East region)?

 

Thx

    • Jeff Walzer's avatar
      Jeff Walzer
      Iron Contributor
      Mar 03, 2020

      Thijs Lecomte- TYVM for the link - greatly appreciated

  • Rod_Trent's avatar
    Rod_Trent
    Icon for Microsoft rankMicrosoft
    Mar 03, 2020

    Jeff Walzer Yes, absolutely. Azure Sentinel becomes the single pane of glass for your entire infrastructure.