Forum Discussion
Sentinel across multiple environments
We are currently planning a new Azure presence. Each of our environments is distinct (Prod/Pre-Prod/Non-Prod) within different subscriptions with each having its own Log Analytic Workspace. When looking at how we do SIEM with Sentinel we have discovered the one-to-one relationship between Sentinel and the LAW.
Operating three instances of Sentinel within our environments seems like it won't provide value - I'm thinking about lateral movement, and the ability to detect someone gathering information in lesser environments to use against Prod.
I see that the only way in which Sentinel can use multiple workspaces is to use Lighthouse. Is this a valid solution in our use case? Will it provide the ability to correlate across multiple LAW/Sentinel instances. Or is this a sledgehammer to crack a nut - i.e. is there an easier and better way in which to operate.
- CliveWatson
Microsoft
Azure Lighthouse is needed if the workspaces are in different tenants, if the three workspaces are within the same tenant/AAD you can view Incidents across all three from the UI.
See Module 3: https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310
and https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-monitoring- Thanks - I hadn't spotted that. Great!
