Azure Sentinel with ASC and exsiting workspace

%3CLINGO-SUB%20id%3D%22lingo-sub-2135178%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20with%20ASC%20and%20exsiting%20workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135178%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20There%2C%3C%2FP%3E%3CP%3ECurrently%20we%20have%202%20workspaces%20created%20linked%20to%20ASC.%20One%20workspace%20for%20Production%20VMs%20and%20another%20for%20Non-Production%20VM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20planning%20to%20deploy%20Sentinel%20and%20have%20few%20questions%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20To%20avoid%20%22multi-homing%22%2C%20should%20we%20consolidate%20both%20workspace%20as%20one%20and%20use%20single%20workspace%20for%20ASC%20%2C%20Azure%20monitoring%20and%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20for%20a%20best%20practice%2C%20Should%20we%20create%20a%20new%20workspace%20for%20Sentinel%20and%20use%20connectors%20to%20send%20events%20from%20ASC%20%26amp%3B%20Azure%20Monitor%20and%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20simply%20solution%2C%20avoid%20too%20many%20workspace%20and%20reduce%20cost.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20Current%20workspace%20have%20data%20consumption%20of%20about%2015-18%20GB%20per%20day%20including%20all%20kind%20of%20logs.%20SO%20when%20we%20create%20cost%20for%20Sentinel%2C%20how%20do%20we%20estimate%20data%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EAvi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello There,

Currently we have 2 workspaces created linked to ASC. One workspace for Production VMs and another for Non-Production VM.

 

We are planning to deploy Sentinel and have few questions

 

1) To avoid "multi-homing", should we consolidate both workspace as one and use single workspace for ASC , Azure monitoring and Sentinel?

 

2) for a best practice, Should we create a new workspace for Sentinel and use connectors to send events from ASC & Azure Monitor and etc?

 

We want to simply solution, avoid too many workspace and reduce cost.

 

3) Current workspace have data consumption of about 15-18 GB per day including all kind of logs. SO when we create cost for Sentinel, how do we estimate data?

 

 

Regards

Avi

 

 

2 Replies

@avirat20 When you say "workspace" I am going to assume you mean a Log Analytics (LA) workspace.

 

1) It really depends if you are using (or plan to use) the Non-production information in Azure Sentinel.  Otherwise, you are just paying for data you are not using.  Azure Sentinel is always going to be a compromise of having all the data you will need versus paying for data you won't ever use.  "SolarGate" has changed the way a lot of people think about non-prod data so it may be that you will use the data now when in the past you probably wouldn't have. 

 

Also take into account where the data is located.  Are your prod and non-prod in the same Azure region?  If not, there is egress charges that need to be considered.   You can also take a look at using Azure Lighthouse with Azure Sentinel to view different Azure Sentinel instances at one time.

 

2) I typically say to let the Azure Security products do what they are good at and then  just send the alerts from ASC to Azure Monitor.   One analogy I like is that Azure Sentinel is a backstop to catch everything that the other Azure security products miss (although this may not make sense to to non-Americans.  Think of it as the netting in the football goal so the ball stops if all the other plays and goalie misses it) However, if you need the data for an investigation, you won't have it (hopefully this will change in the future).

 

3) Use the Azure pricing calculator, add Azure Sentinel to it, select your region, and plug in your consumption rate to get the most accurate pricing estimate.

@avirat20 

 

To the specific question about ASC and Azure Sentinl: you should use the same workspace. ASC itself does not use the workspace, and the value stems from Sentinel features.

 

What you may want to do, is split none security data to a seperate workspace for cost reasons. This would imply dual homing.