Forum Discussion

sharukh222000's avatar
sharukh222000
Copper Contributor
Nov 20, 2022

Workspace and Sentinel how it will work

Dear All,


I have my company server and worspace located in 3 regions i.e US, Europe and India and data is flowing from those specific locations to the respective workspace for example US data will go to US workspace.

 

We wanted to continue the same but the issue is we wanted now to have our security team setup and we are planning to have it in India only so we ran sentinel on top of India workspace now the question is how to monitor the US and europe workspace?

 

Kindly let me know the answer from the following prespective

 

1) The cost effiecnent way?

2) The best practice in these scenario's?

3) Can we use azure lighthouse?

 

  • samikroy's avatar
    samikroy
    Brass Contributor
    1. If data compliance aggress, target the logs to a single workspace.
    a. This will help you to query in a single workspace.
    b. In case of a high data ingestion, you will be able to leverage commitment tiers.
    3. Lighthouse is used in case of multi-tenancy which does not seem to be use case here.
    This brings up another question what data sources being ingested
    Heartbeat - Free
    SecuityEvent - Will be billing same as of now.
    Hope this helps.
  • sharukh222000's avatar
    sharukh222000
    Copper Contributor
    Didnt get it.

    Lets make it simple

    If we have 2 workspace in two separate region 1 in us and another in india

    Sentinel running on india workspace only but in future i want to monitor us site also
    Whats best practice?
    Do i need 2 sentinel?
    • samikroy's avatar
      samikroy
      Brass Contributor
      Assess (Data compliance/ Any other requirements) if we the log sources from another location (US) can point to initial location (India)
      Else, you have to have 2 different Sentinel Instance and use cross workspace queries to join for your use cases

Resources