SOLVED

Single pane of glass for multiple log analytics workspaces?

%3CLINGO-SUB%20id%3D%22lingo-sub-1147577%22%20slang%3D%22en-US%22%3ESingle%20pane%20of%20glass%20for%20multiple%20log%20analytics%20workspaces%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147577%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20wanting%20to%20onboard%20more%20of%20our%20stuff%20to%20Sentinel.%26nbsp%3B%20At%20the%20moment%20we%20have%20a%20hub%2Fspoke%20model%20as%20illustrated%20below%2C%20with%20(at%20least)%201%20Log%20Analytics%20workspace%20in%20each%20spoke%20%E2%80%93%20some%20dev%20teams%20have%20deployed%20their%20own%20workspaces%20for%20their%20apps.%26nbsp%3B%20The%20blue%20shaded%20shapes%20in%20the%20diagram%20below%20illustrate%20where%20workspaces%20currently%20exist%2C%20with%20the%20grey%20shaded%20shapes%20using%20the%20workspace%20in%20the%20parent%20subscription.%26nbsp%3B%20I%E2%80%99m%20aware%20that%20best%20practice%20is%20to%20have%20as%20few%20workspaces%20as%20possible%20where%20Sentinel%20is%20concerned.%26nbsp%3B%20Is%20there%20a%20way%20of%20having%20all%20LA%20Workspace%20content%20roll%20up%20into%20a%20single%20one%20for%20Sentinel%20usage%3F%26nbsp%3B%20I%20know%20this%20will%20incur%20additional%20data%20retention%20costs%20but%20ideally%20we%20want%20to%20give%20our%20SecOps%20guys%20a%20single%20pane%20of%20glass%2C%20rather%20than%20having%20to%20flit%20from%20instance%20to%20instance.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168567i49D07695D67D0F69%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1148075%22%20slang%3D%22en-US%22%3ERe%3A%20Single%20pane%20of%20glass%20for%20multiple%20log%20analytics%20workspaces%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1148075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172128%22%20target%3D%22_blank%22%3E%40Richard%20Davies%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20data%20needs%20to%20reside%20in%20the%20original%20workspace%20(maybe%20for%20compliance%20reasons%20or%20to%20reduce%20egress)%20then%20maybe%20you%20can%20visualize%20the%20workspaces%20with%20an%20Azure%20Workbook.%26nbsp%3B%20If%20it%20can%20be%20moved%20centrally%2C%20moving%20to%20a%20single%20workspace%20model%20(%20or%20two%20to%20allow%20for%20a%20test%2Fdev%20one%20of%20course)%20then%20that%20would%20help%20.%26nbsp%3B%20Or%20as%20you%20say%20you%20can%20dual-home%20Windows%20data%20(at%20a%20cost).%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20attach%20a%20Playbook%20to%20all%20incidents%20and%20therefore%20get%20a%20Teams%2C%20Email%20or%20ITSM%20message%20(or%20others)%20when%20you%20have%20an%20incident%20-%20regardless%20of%20the%20workspace%2C%20your%20central%20team%20can%20react%20to%20those.%3CBR%20%2F%3E%3CBR%20%2F%3EExample%20Workbook%20(showing%20%3CSTRONG%3ESecurityAlert%3C%2FSTRONG%3E%20data)%2C%20essentially%20these%20can%20show%20cross-workspace%20queries%20or%20with%20Azure%20Lighthouse%20cross%20AAD%20workspaces.%26nbsp%3B%20This%20shows%20two%20workspaces%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168597iD43F7A1EE0D64920%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168598i174676F86E519975%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ECode%20sample%20(which%20the%20above%20are%20based%20on)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3ESecurityAlert%0A%7C%20summarize%20count()%20by%20AlertName%2C%20ProductName%2C%20AlertSeverity%2C%20%5B%22Workspace%22%5D%20%3D%20TenantId%0A%7C%20order%20by%20Workspace%20asc%2C%20count_%20desc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAAwtOTS4tyiypdMxJLSrh5apRKC7NzU0syqxKVUjOL80r0dBUSKpUAMv6Jeam6igEFOWnlCZDOWDx4NSyVJAROgrRSuH5RdnFBYnJqUqxCrYKIal5iXklnikgc%25252FOLUlKLQGbBlSgkFifrQGyJV0hJLU4GADeuc36MAAAA%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1148864%22%20slang%3D%22en-US%22%3ERe%3A%20Single%20pane%20of%20glass%20for%20multiple%20log%20analytics%20workspaces%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1148864%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172128%22%20target%3D%22_blank%22%3E%40Richard%20Davies%3C%2FA%3E%26nbsp%3BHave%20you%20looked%20at%20Using%20Grafana%3F%26nbsp%3B%20Sentinel%20dashboards%2Fworkbooks%20are%20not%20the%20best.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346490%22%20slang%3D%22en-US%22%3ERe%3A%20Single%20pane%20of%20glass%20for%20multiple%20log%20analytics%20workspaces%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346490%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E.%3C%2FP%3E%3CP%3EWe're%20planning%20a%20rework%20of%20our%20subscription%20structure%2C%20such%20that%20we%20have%20a%20single%20workspace%20now%2C%20rather%20than%20one%20(or%20more)%20in%20each%20subscription%20and%20will%20use%20the%20appropriate%20RBAC%20control.%26nbsp%3B%20It's%20going%20to%20be%20annoying%20to%20have%20to%20leave%20data%20in%20the%20existing%20workspaces%20to%20age%20and%20expire%20rather%20than%20to%20be%20able%20to%20munge%20it%20all%20into%20a%20single%20workspace%20but%20needs%20must...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We’re wanting to onboard more of our stuff to Sentinel.  At the moment we have a hub/spoke model as illustrated below, with (at least) 1 Log Analytics workspace in each spoke – some dev teams have deployed their own workspaces for their apps.  The blue shaded shapes in the diagram below illustrate where workspaces currently exist, with the grey shaded shapes using the workspace in the parent subscription.  I’m aware that best practice is to have as few workspaces as possible where Sentinel is concerned.  Is there a way of having all LA Workspace content roll up into a single one for Sentinel usage?  I know this will incur additional data retention costs but ideally we want to give our SecOps guys a single pane of glass, rather than having to flit from instance to instance.

clipboard_image_0.png

3 Replies
Highlighted
Best Response confirmed by Richard Davies (New Contributor)
Solution

@Richard Davies 

 

If the data needs to reside in the original workspace (maybe for compliance reasons or to reduce egress) then maybe you can visualize the workspaces with an Azure Workbook.  If it can be moved centrally, moving to a single workspace model ( or two to allow for a test/dev one of course) then that would help .  Or as you say you can dual-home Windows data (at a cost). 

You can also attach a Playbook to all incidents and therefore get a Teams, Email or ITSM message (or others) when you have an incident - regardless of the workspace, your central team can react to those.

Example Workbook (showing SecurityAlert data), essentially these can show cross-workspace queries or with Azure Lighthouse cross AAD workspaces.  This shows two workspaces

 

clipboard_image_0.png

 

clipboard_image_1.png



Code sample (which the above are based on)

SecurityAlert
| summarize count() by AlertName, ProductName, AlertSeverity, ["Workspace"] = TenantId
| order by Workspace asc, count_ desc

 

Go to Log Analytics and run query

Highlighted

@Richard Davies Have you looked at Using Grafana?  Sentinel dashboards/workbooks are not the best.

Highlighted

Thanks @Clive Watson.

We're planning a rework of our subscription structure, such that we have a single workspace now, rather than one (or more) in each subscription and will use the appropriate RBAC control.  It's going to be annoying to have to leave data in the existing workspaces to age and expire rather than to be able to munge it all into a single workspace but needs must...