Forum Discussion

Richard Davies's avatar
Richard Davies
Brass Contributor
Feb 03, 2020
Solved

Single pane of glass for multiple log analytics workspaces?

We’re wanting to onboard more of our stuff to Sentinel.  At the moment we have a hub/spoke model as illustrated below, with (at least) 1 Log Analytics workspace in each spoke – some dev teams have de...
  • CliveWatson's avatar
    CliveWatson
    Feb 03, 2020

    Richard Davies 

     

    If the data needs to reside in the original workspace (maybe for compliance reasons or to reduce egress) then maybe you can visualize the workspaces with an Azure Workbook.  If it can be moved centrally, moving to a single workspace model ( or two to allow for a test/dev one of course) then that would help .  Or as you say you can dual-home Windows data (at a cost). 

    You can also attach a Playbook to all incidents and therefore get a Teams, Email or ITSM message (or others) when you have an incident - regardless of the workspace, your central team can react to those.

    Example Workbook (showing SecurityAlert data), essentially these can show cross-workspace queries or with Azure Lighthouse cross AAD workspaces.  This shows two workspaces

     

     



    Code sample (which the above are based on)

    SecurityAlert
| summarize count() by AlertName, ProductName, AlertSeverity, ["Workspace"] = TenantId
| order by Workspace asc, count_ desc

     

    Go to Log Analytics and run query