Sending logs from one tenant to a different tenant Sentinel instance




I have a scenario where logs from one tenant needs to be forwarded to another tenant LA workspace Sentinel. I know we have Azure lighthouse which can be used but customer requirement is to fwd all the logs from one tenant to another tenant.


What are the possible options do we have ? cost is not a factor for the customer.  I think of one option which is to use the LA Data export and send the events to eventhubs of that tenant. But how can the Sentinel instance of a different tenant can consume those logs from the eventhubs?


Any other approaches to cater to the requirements also helpful.

9 Replies

@pavankemi While you can send the data from one tenant to another, keep in mind that a lot of the data will not be useful as you will loose a lot of the reference data (for instance, user GUIDs) and the vast majority of the data will need to be put into custom tables as you cannot add your own data to Azure Sentinel's tables.


With that being said, once the data is in an Event Hub, you can write a Logic App to process the data and write it to the Logic App in the new tenant.  Connect to Azure Event Hubs - Azure Logic Apps | Microsoft Docs.  There is an Azure Monitor Send Data connector to write to a Log Analytics Workspace.

Thanks Gary for the quick response. What approach we can follow so that we can forward the data without losing any reference data.

3rd party SIEM solutions use eventhubs to get the data from the Azure. We are trying to perform the similar exercise but in this case we are sending to Sentinel. What changes between 3rd party SIEM solutions and Sentinel.

@pavankemi I doubt 3rd party SIEMs would do any better unless they download the information from Azure AD as well (for my example).  I think the biggest issue will be writing/modifying all the queries to look at the new tables.

Hi Gary.i was looking at the Azure monitor send data connector in logic apps but there is no such action listed under azure monitor. Am i doing something wrong

@pavankemi That would be because I told you the wrong connector name.  Sorry.   It is actually the "Azure Log Analytics Data Collector" connector that you want to use.

@pavankemi :

- I would use Azure functions and not Logic Apps, as Logic Apps cost may become prohibitive.

- It is not a simple project. We have customers doing that, but there is an inherent effort both in the custom connectors and modifying queries to work with it. Also, with custom connectors free sources are no longer free.


To try to best help: why do you need to move all data to a central tenant?

Thank you for the response. Customer has multiple tenants which are owned by Customer but one tenant is being managed by the vendor. Customer needs logs from the vendor managed tenant and send it to their Tenant to centrally monitor. In short, customer has few contractual obligations with the vendor and cannot deploy Lighthouse and wanted to go with logs forwarding from Tenant 1 to Tenant 2



First, it would be a large effort to just not use Lighthouse. However, any future support for cross tenant collection will also use Lighthouse (though reverse Lighthouse). So the contractual issues will have to be resolved. 

Thank you Ofer for the information