Azure Sentinel Instances per Subscription

Copper Contributor

Hello all, 


This will be my first post here! 


At present we have implemented 5 instances of Azure Sentinel per the 5 subscriptions of our 1 Azure Tenancy. After doing some research it seems that we may have mis-configured this from what we where reading at the time. As you can imagine managing 5 separate instances can be a bit of a headache!


It seems like the ''best practice'' is to have 1 central Azure Sentinel instance and all Subscriptions will feed into this single location under one tenancy? I am currently looking for some guidance and any supporting documentation to show that this is the way it should be configured so we are able to make the necessary amendments and reduce down to 1 instance. I strongly believe this is the best way to go to reduce the level of noise and additional work we have currently. 



3 Replies

@E_Black1994 Yep, you've hit on the right method. In those situations where it is possible, you should always attempt to utilize one single Log Analytics workspace for Azure Sentinel. This it makes it easier to manage from a number of angles including eliminating separate billing, enabling fine grained retention settings, and fine grained access control. 


Multiple workspaces should be considered in cases where you have multiple Azure tenants, where data needs to be stored in specific regions due to compliance and sovereignty, a few others.

Brilliant, glad to hear that i'm onto the right solution, is there any written documentation to enforce this method? Thanks for coming back to me.

Also would it wise to use only the Log Analytics workspace attached to Azure Sentinel exclusively for Sentinel or can you pump other logs from other Azure resources into the same space and it not matter? I'd assume it would be better to keep them purely aligned to Sentinel to assist with billing etc?
Best practice is to only send Sentinel-related data into the Log Analytics workspace. Otherwise, you are paying Sentinel costs for data you're not using for security purposes.