Cross Workspace Query

%3CLINGO-SUB%20id%3D%22lingo-sub-1648057%22%20slang%3D%22en-US%22%3ECross%20Workspace%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1648057%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EAs%20a%20part%20of%20our%20Sentinel%20on-boarding%20project%2C%20we're%20in%20the%20process%20of%20centralising%20LA%20workspaces.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Sentinel%20LA%20workspace%20permission%20is%20set%20to%26nbsp%3B%22%3CSPAN%3EUse%20resource%20or%20workspace%20permissions%22%2C%20however%20the%20cross%20workspace%20query%20below%20fails%20with%20a%20permission%20error%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CP%3E%3CSPAN%3Eworkspace(%22%3CLA-WORKSPACE-NAME%3E%22).Heartbeat%26nbsp%3B%3C%2FLA-WORKSPACE-NAME%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BComputer%26nbsp%3Bcontains%26nbsp%3B%22%3CSERVERNAME%3E%22%3C%2FSERVERNAME%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20the%20KQL%20can%20be%20tweaked%20to%20avoid%20delegating%20read%20permissions%20to%20the%20LA%20workspace%3F%20Hoping%20we%20can%20do%20something%20similar%20to%20user%20using%20the%20%22logs%22%20option%20from%20the%20VM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

As a part of our Sentinel on-boarding project, we're in the process of centralising LA workspaces.

 

The Sentinel LA workspace permission is set to "Use resource or workspace permissions", however the cross workspace query below fails with a permission error:

 

workspace("<LA-Workspace-Name>").Heartbeat 

| where Computer contains "<ServerName>"

 

Does anyone know if the KQL can be tweaked to avoid delegating read permissions to the LA workspace? Hoping we can do something similar to user using the "logs" option from the VM.

 

Many thanks,

Matt

 

 

0 Replies