Jun 30 2022 08:36 AM - edited Jun 30 2022 08:48 AM
All,
When you have Defender for Cloud and Sentinel.....do you still use 2 log analytics workspaces or do you reconfigure the defender for cloud log analytics workspace to ingest the defender for cloud events also into the sentinel workspace also?
best regards
Arjan
Jun 30 2022 02:01 PM
Sep 26 2022 07:58 PM
Sep 26 2022 11:27 PM
Solution@Arjan Veen, van one log analytics is good enough to you can forward the ASC(Azure security center/Defender alerts to Sentinel .
Refer the below picture reference to one of the Microsoft source where it shows one log analytics is good enough for both Azure and On-prem
Sep 27 2022 12:57 AM
Sep 27 2022 12:18 PM
Oct 15 2022 05:48 AM
Oct 18 2022 08:58 AM
@Arjan Veen, van , it depends ;). Don't assume you can share a common LAW. There are many factors to consider, such as ingestion of more than 100 GB/day, access control to the LAW, data sovereignty/geographic requirements, etc. There is a decent decision tree at Design your Microsoft Sentinel workspace architecture | Microsoft Learn.
Sep 26 2022 11:27 PM
Solution@Arjan Veen, van one log analytics is good enough to you can forward the ASC(Azure security center/Defender alerts to Sentinel .
Refer the below picture reference to one of the Microsoft source where it shows one log analytics is good enough for both Azure and On-prem