LAW Architecture for Security Center

%3CLINGO-SUB%20id%3D%22lingo-sub-2685216%22%20slang%3D%22en-US%22%3ERe%3A%20LAW%20Architecture%20for%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2685216%22%20slang%3D%22en-US%22%3EHi%20Sebastian%2C%3CBR%20%2F%3EAlthough%20there%20is%20no%20one-size-fit-all%20advice%20in%20this%20case%20(every%20org%20is%20different%20with%20different%20requirements%2C%20policies%20and%20limitations%2C%20e.g.%20GDPR%2C%20when%20it%20comes%20to%20data%20collection%20and%20storage)%2C%20there%20are%20some%20considerations%20you%20would%20need%20to%20take%20into%20account%20when%20deciding%20their%20strategy%20for%20ASC%20logs%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ffaq-data-collection-agents%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ffaq-data-collection-agents%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%3C%2FA%3E%3CBR%20%2F%3EMost%20companies%20we%20work%20with%20end%20up%20using%20as%20few%20workspaces%20as%20possible%20in%20order%20to%20be%20able%20to%20easier%20query%20and%20correlate%20data.%20Please%20also%20keep%20in%20mind%2C%20you%20can%20enable%20Azure%20Sentinel%20(if%20you%20decided%20to%20use%20it%20as%20your%20SIEM%20solution)%20on%20the%20default%20workspace%20ASC%20creates.%20Let%20me%20know%20if%20you%20have%20any%20further%20questions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2678711%22%20slang%3D%22en-US%22%3ELAW%20Architecture%20for%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2678711%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20two%20options%20how%20to%20set%20up%20the%20LAWs%20for%20the%20Security%20Center.%20By%20default%2C%20when%20onboarding%20the%20subscription%20in%20the%20Security%20Center%2C%20a%20separate%20LAW%20is%20created%20for%20each%20subscription.%20Microsoft%20also%20allows%20you%20to%20define%20your%20own%20(central)%20LAW.%3CBR%20%2F%3EWhich%20option%20should%20be%20considered%20considering%20to%20have%20security%20logs%20and%20monitoring%2Fperformance%20logs%3F%20What%20is%20the%20difference%3F%20Can%20I%20give%20a%20Log%20Analytic%20Agent%20two%20different%20destinations%20(one%20for%20ASC%20Security%20Logs%20and%20one%20for%20Azure%20Monitor%20Logs)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

There are two options how to set up the LAWs for the Security Center. By default, when onboarding the subscription in the Security Center, a separate LAW is created for each subscription. Microsoft also allows you to define your own (central) LAW.
Which option should be considered considering to have security logs and monitoring/performance logs? What is the difference? Can I give a Log Analytic Agent two different destinations (one for ASC Security Logs and one for Azure Monitor Logs)?

1 Reply
Hi Sebastian,
Although there is no one-size-fit-all advice in this case (every org is different with different requirements, policies and limitations, e.g. GDPR, when it comes to data collection and storage), there are some considerations you would need to take into account when deciding their strategy for ASC logs:
https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
Most companies we work with end up using as few workspaces as possible in order to be able to easier query and correlate data. Please also keep in mind, you can enable Azure Sentinel (if you decided to use it as your SIEM solution) on the default workspace ASC creates. Let me know if you have any further questions.