Sentinel across multiple environments

New Contributor

We are currently planning a new Azure presence. Each of our environments is distinct (Prod/Pre-Prod/Non-Prod) within different subscriptions with each having its own Log Analytic Workspace. When looking at how we do SIEM with Sentinel we have discovered the one-to-one relationship between Sentinel and the LAW.

 

Operating three instances of Sentinel within our environments seems like it won't provide value - I'm thinking about lateral movement, and the ability to detect someone gathering information in lesser environments to use against Prod.

 

I see that the only way in which Sentinel can use multiple workspaces is to use Lighthouse. Is this a valid solution in our use case? Will it provide the ability to correlate across multiple LAW/Sentinel instances. Or is this a sledgehammer to crack a nut - i.e. is there an easier and better way in which to operate.

 

 

2 Replies
Azure Lighthouse is needed if the workspaces are in different tenants, if the three workspaces are within the same tenant/AAD you can view Incidents across all three from the UI.
See Module 3: https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-le...
and https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-work...
Thanks - I hadn't spotted that. Great!