Apr 20 2021 06:12 AM
Hello all,
This will be my first post here!
At present we have implemented 5 instances of Azure Sentinel per the 5 subscriptions of our 1 Azure Tenancy. After doing some research it seems that we may have mis-configured this from what we where reading at the time. As you can imagine managing 5 separate instances can be a bit of a headache!
It seems like the ''best practice'' is to have 1 central Azure Sentinel instance and all Subscriptions will feed into this single location under one tenancy? I am currently looking for some guidance and any supporting documentation to show that this is the way it should be configured so we are able to make the necessary amendments and reduce down to 1 instance. I strongly believe this is the best way to go to reduce the level of noise and additional work we have currently.
Cheers
Apr 20 2021 07:14 AM
@E_Black1994 Yep, you've hit on the right method. In those situations where it is possible, you should always attempt to utilize one single Log Analytics workspace for Azure Sentinel. This it makes it easier to manage from a number of angles including eliminating separate billing, enabling fine grained retention settings, and fine grained access control.
Multiple workspaces should be considered in cases where you have multiple Azure tenants, where data needs to be stored in specific regions due to compliance and sovereignty, a few others.
Apr 20 2021 08:05 AM
Apr 20 2021 08:12 AM