Hi @nathanmitten,
Thanks for reaching out. If your subscriptions are currently using Security Center's managed workspaces (default workspaces) and you'd like to change them to report to a workspace of your own, you can reconfigure your existing VMs to report to this new workspace programmatically by using REST API:
HTTP Method: POST
Request Body:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}
Reconfiguration of the agents may take up to 12 hours.
Alternatively you can see the same in the ASC Portal experience: Pricing & Settings -> Select subscription -> Data collection -> switch from default workspaces to a workspace of your own. You'll then see the following confirmation dialog (Of course this method is applicable only in case you want to alter a few subscriptions and not dozens)
We plan to add this to our API documentation in the near future as this specific functionality is missing from it, along with adding this to our PowerShell snippet.
If your VMs currently report to your own workspace (whether the Microsoft Monitoring agent was provisioned manually on your VMs or with ASC's automatic provisioning), you'll have to reconfigure the Microsoft Monitoring agent to the new workspace manually. ASC can't do this automatically for you since it did not necessarily provision the agent and the actual reporting to the (user) workspace may have served needs besides ASC - thus this can't be done automatically.
Reconfiguration in this case can be done in multiple ways, but this depend on how the Microsoft Monitoring Agent was installed (as an Azure Extension or as a Direct Agent installation) and on the OS. Please consult the relevant docs in such a case to find your appropriate scenario: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
Please reach out if you have any further questions or required clarifications.
Thanks,
Yoav Francis,
Senior Product Manager, Azure Security Center