cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Sentinel Instances per Subscription

E_Black1994
Copper Contributor

‎Apr 20 2021 06:12 AM

‎Apr 20 2021 06:12 AM

Azure Sentinel Instances per Subscription

Hello all, 

 

This will be my first post here! 

 

At present we have implemented 5 instances of Azure Sentinel per the 5 subscriptions of our 1 Azure Tenancy. After doing some research it seems that we may have mis-configured this from what we where reading at the time. As you can imagine managing 5 separate instances can be a bit of a headache!

 

It seems like the ''best practice'' is to have 1 central Azure Sentinel instance and all Subscriptions will feed into this single location under one tenancy? I am currently looking for some guidance and any supporting documentation to show that this is the way it should be configured so we are able to make the necessary amendments and reduce down to 1 instance. I strongly believe this is the best way to go to reduce the level of noise and additional work we have currently. 

 

Cheers 

4,100 Views
0 Likes
3 Replies
Reply
3 Replies
Rod_Trent

‎Apr 20 2021 07:14 AM

‎Apr 20 2021 07:14 AM

Re: Azure Sentinel Instances per Subscription

@E_Black1994 Yep, you've hit on the right method. In those situations where it is possible, you should always attempt to utilize one single Log Analytics workspace for Azure Sentinel. This it makes it easier to manage from a number of angles including eliminating separate billing, enabling fine grained retention settings, and fine grained access control. 

 

Multiple workspaces should be considered in cases where you have multiple Azure tenants, where data needs to be stored in specific regions due to compliance and sovereignty, a few others.

0 Likes
Reply
E_Black1994

‎Apr 20 2021 08:05 AM

‎Apr 20 2021 08:05 AM

Re: Azure Sentinel Instances per Subscription

@Rod_Trent
Brilliant, glad to hear that i'm onto the right solution, is there any written documentation to enforce this method? Thanks for coming back to me.

Also would it wise to use only the Log Analytics workspace attached to Azure Sentinel exclusively for Sentinel or can you pump other logs from other Azure resources into the same space and it not matter? I'd assume it would be better to keep them purely aligned to Sentinel to assist with billing etc?
0 Likes
Reply
Rod_Trent

‎Apr 20 2021 08:12 AM

‎Apr 20 2021 08:12 AM

Re: Azure Sentinel Instances per Subscription

Best practice is to only send Sentinel-related data into the Log Analytics workspace. Otherwise, you are paying Sentinel costs for data you're not using for security purposes.
0 Likes
Reply