Forum Discussion

Richard Davies's avatar
Richard Davies
Brass Contributor
Feb 03, 2020
Solved

Single pane of glass for multiple log analytics workspaces?

We’re wanting to onboard more of our stuff to Sentinel.  At the moment we have a hub/spoke model as illustrated below, with (at least) 1 Log Analytics workspace in each spoke – some dev teams have de...
  • CliveWatson's avatar
    CliveWatson
    Feb 03, 2020

    Richard Davies 

     

    If the data needs to reside in the original workspace (maybe for compliance reasons or to reduce egress) then maybe you can visualize the workspaces with an Azure Workbook.  If it can be moved centrally, moving to a single workspace model ( or two to allow for a test/dev one of course) then that would help .  Or as you say you can dual-home Windows data (at a cost). 

    You can also attach a Playbook to all incidents and therefore get a Teams, Email or ITSM message (or others) when you have an incident - regardless of the workspace, your central team can react to those.

    Example Workbook (showing SecurityAlert data), essentially these can show cross-workspace queries or with Azure Lighthouse cross AAD workspaces.  This shows two workspaces

     

     



    Code sample (which the above are based on)

    SecurityAlert
| summarize count() by AlertName, ProductName, AlertSeverity, ["Workspace"] = TenantId
| order by Workspace asc, count_ desc

     

    Go to Log Analytics and run query

CliveWatson's avatar
CliveWatson
Former Employee
Feb 03, 2020

Richard Davies 

 

If the data needs to reside in the original workspace (maybe for compliance reasons or to reduce egress) then maybe you can visualize the workspaces with an Azure Workbook.  If it can be moved centrally, moving to a single workspace model ( or two to allow for a test/dev one of course) then that would help .  Or as you say you can dual-home Windows data (at a cost). 

You can also attach a Playbook to all incidents and therefore get a Teams, Email or ITSM message (or others) when you have an incident - regardless of the workspace, your central team can react to those.

Example Workbook (showing SecurityAlert data), essentially these can show cross-workspace queries or with Azure Lighthouse cross AAD workspaces.  This shows two workspaces

 

 



Code sample (which the above are based on)

SecurityAlert
| summarize count() by AlertName, ProductName, AlertSeverity, ["Workspace"] = TenantId
| order by Workspace asc, count_ desc

 

Go to Log Analytics and run query

  • Richard Davies's avatar
    Richard Davies
    Brass Contributor
    Apr 29, 2020

    Thanks CliveWatson.

    We're planning a rework of our subscription structure, such that we have a single workspace now, rather than one (or more) in each subscription and will use the appropriate RBAC control.  It's going to be annoying to have to leave data in the existing workspaces to age and expire rather than to be able to munge it all into a single workspace but needs must...