Multiple Log analytic workspace and rules

%3CLINGO-SUB%20id%3D%22lingo-sub-1954955%22%20slang%3D%22en-US%22%3EMultiple%20Log%20analytic%20workspace%20and%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1954955%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20a%20newbie%20of%20Azure%20Sentinel.%3C%2FP%3E%3CP%3EOur%20env%20has%20setup%20multiple%20subscriptions%20and%26nbsp%3BLog%20analytic%20workspaces%20for%20different%20productions.%3C%2FP%3E%3CP%3E%26nbsp%3BI%20would%20like%20to%20trigger%20some%20rules%20(from%20template)%20in%20Log%20analytic%20workspaces%20to%20monitor%20all%20our%20productions.%20Should%20I%20setup%20rules%20in%20every%26nbsp%3BLog%20analytic%20workspace%20or%20only%20one%20of%20them%20%3F%20To%20view%20all%20incidents%20in%20one%20workbook%2C%20should%20I%20forward%20the%20logs%20from%20different%20resources%20(different%20subscriptions)%20to%20one%20special%26nbsp%3BLog%20analytic%20workspaces%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1954955%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1956076%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Log%20analytic%20workspace%20and%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1956076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890583%22%20target%3D%22_blank%22%3E%40cklonger%3C%2FA%3E%26nbsp%3BYou%20would%20need%20to%20trigger%20the%20rules%20in%20each%20workspace%20as%20the%20rules%20can%20only%20work%20in%20one%20workspace%20for%20the%20most%20part.%26nbsp%3B%20%26nbsp%3BYou%20can%20then%20use%20Azure%20Lighthouse%20to%20view%20the%20incidents%20from%20all%20your%20workspaces%20in%20one%20view.%26nbsp%3B%20Take%20a%20look%20at%20this%20page%20to%20get%20you%20started%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fhow-to%2Fmanage-sentinel-workspaces%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fhow-to%2Fmanage-sentinel-workspaces%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1960229%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Log%20analytic%20workspace%20and%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1960229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890583%22%20target%3D%22_blank%22%3E%40cklonger%3C%2FA%3E%26nbsp%3B%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E's%20answer%20is%20the%20best%20practice.%20However%3A%3C%2FP%3E%0A%3CP%3E-%20It%20is%20recommended%2C%20by%20Sentinel%20and%20by%20Log%20Analytics%2C%20to%20keep%20all%20logs%20in%20a%20centralized%20worksapce.%3C%2FP%3E%0A%3CP%3E-%20You%20can%20run%20a%20rule%20across%20worksapces%20using%20cross-workspace%20queries%2C%20however%20you%20will%20have%20to%20modify%20the%20built%20in%20rules%20and%20some%20features%20such%20as%20investigation%20are%20limited%20with%20such%20rules.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Good morning:

 

I am a newbie of Azure Sentinel.

Our env has setup multiple subscriptions and Log analytic workspaces for different productions.

 I would like to trigger some rules (from template) in Log analytic workspaces to monitor all our productions. Should I setup rules in every Log analytic workspace or only one of them ? To view all incidents in one workbook, should I forward the logs from different resources (different subscriptions) to one special Log analytic workspaces?

 

3 Replies

@cklonger You would need to trigger the rules in each workspace as the rules can only work in one workspace for the most part.   You can then use Azure Lighthouse to view the incidents from all your workspaces in one view.  Take a look at this page to get you started:

 

https://docs.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces

@cklonger : @Gary Bushey's answer is the best practice. However:

- It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce.

- You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules. 

@Ofer_Shezaf Correct.  I should have specified to use multiple workspaces when using different regions (taking into account the egress charges vs complexity of having multiple environments).  Thanks for pointing that out.

 

Here is a link to a best practices posting (although some of the information is out of date)

 

https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel...