Feb 03 2020 03:25 AM
Feb 03 2020 03:25 AM
We’re wanting to onboard more of our stuff to Sentinel. At the moment we have a hub/spoke model as illustrated below, with (at least) 1 Log Analytics workspace in each spoke – some dev teams have deployed their own workspaces for their apps. The blue shaded shapes in the diagram below illustrate where workspaces currently exist, with the grey shaded shapes using the workspace in the parent subscription. I’m aware that best practice is to have as few workspaces as possible where Sentinel is concerned. Is there a way of having all LA Workspace content roll up into a single one for Sentinel usage? I know this will incur additional data retention costs but ideally we want to give our SecOps guys a single pane of glass, rather than having to flit from instance to instance.
Feb 03 2020 07:58 AMSolution
If the data needs to reside in the original workspace (maybe for compliance reasons or to reduce egress) then maybe you can visualize the workspaces with an Azure Workbook. If it can be moved centrally, moving to a single workspace model ( or two to allow for a test/dev one of course) then that would help . Or as you say you can dual-home Windows data (at a cost).
You can also attach a Playbook to all incidents and therefore get a Teams, Email or ITSM message (or others) when you have an incident - regardless of the workspace, your central team can react to those.
Example Workbook (showing SecurityAlert data), essentially these can show cross-workspace queries or with Azure Lighthouse cross AAD workspaces. This shows two workspaces
Code sample (which the above are based on)
SecurityAlert | summarize count() by AlertName, ProductName, AlertSeverity, ["Workspace"] = TenantId | order by Workspace asc, count_ desc
Feb 03 2020 12:50 PM
@Richard Davies Have you looked at Using Grafana? Sentinel dashboards/workbooks are not the best.
Apr 29 2020 01:01 AM
Thanks @Clive Watson.
We're planning a rework of our subscription structure, such that we have a single workspace now, rather than one (or more) in each subscription and will use the appropriate RBAC control. It's going to be annoying to have to leave data in the existing workspaces to age and expire rather than to be able to munge it all into a single workspace but needs must...