cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LAW Architecture for Security Center

msmotto21
Copper Contributor

‎Aug 24 2021 04:09 AM - last edited on ‎Nov 29 2021 11:54 AM by

‎Aug 24 2021 04:09 AM - last edited on ‎Nov 29 2021 11:54 AM by

LAW Architecture for Security Center

There are two options how to set up the LAWs for the Security Center. By default, when onboarding the subscription in the Security Center, a separate LAW is created for each subscription. Microsoft also allows you to define your own (central) LAW.
Which option should be considered considering to have security logs and monitoring/performance logs? What is the difference? Can I give a Log Analytic Agent two different destinations (one for ASC Security Logs and one for Azure Monitor Logs)?

2,735 Views
0 Likes
1 Reply
Reply
1 Reply
Stanislav Belov

‎Aug 25 2021 01:00 PM

‎Aug 25 2021 01:00 PM

Re: LAW Architecture for Security Center

Hi Sebastian,
Although there is no one-size-fit-all advice in this case (every org is different with different requirements, policies and limitations, e.g. GDPR, when it comes to data collection and storage), there are some considerations you would need to take into account when deciding their strategy for ASC logs:
https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Most companies we work with end up using as few workspaces as possible in order to be able to easier query and correlate data. Please also keep in mind, you can enable Azure Sentinel (if you decided to use it as your SIEM solution) on the default workspace ASC creates. Let me know if you have any further questions.
1 Like
Reply