Azure Security Centre and Sentinel sharing LAW

Regular Visitor

I have a question and am hoping someone can clarify something for me. We are working on a project deploying Azure Security Centre and Azure Defender (leveraging Qualys scanning engine) for vulnerability scanning capability, and consolidate the logs and metrics to a centralised Log Analytics Workspace. We also have a Sentinel project using its own Log Analytics Workspace. Am i correct in saying that when we deploy the LAW agents and Qualys agent it should be pointing to the same central log analytics that Sentinel uses? Or should it be using another Log Analytics Workspace and then use the connector to Sentinel? The Sentinel Project is looking for clarification why we should be using the Sentinel LAW instead of our own.

1 Reply
Technically you can have a LAW for ASC and one for Azure Sentinel (and use the connector), but most people combine the two workspaces into one shared resource. Advise is to have as few large workspaces as possible (start at one, and only add others as exceptions). Also remember Azure Sentinel cant use a "default-" workspace, that ASC can setup, so you need a named LAW. The data not to have in Azure Sentinel is operational data (data with low or no security value) especially Perf data, Perf if mid-high volume probably should be in its own LAW.