Disaster Recovery Design for Microsoft Sentinel

Occasional Contributor

I would like to know if there is a recommended design for disaster recovery of Sentinel SIEM like placing another Log Analytic workspace in a paired region. then pointing the DR servers to report to this LAW.


If in case I need a live DR then do I have to replicate the log analytic workspace to the other paired region and what is the best method to do this replication?


2 Replies


Remember that the underlying storage and platform is highly available, and more so in Azure Regions with Availability Zones. Microsoft did have a preview a while back (two years???) to look at allowing a customer to perform a failover from one region/workspace to another, but it was paused.

If you want VM's and a Active/Active capability you can multi-home to two workspaces at once, however that will double your costs (so maybe only protect critical VM's that way?).
Note, not all resources allow this capability, but VMs with AMA (Windows and Linux) do allow multi-homing, or just Windows with the MMA deployed)

Thanks for the feedback Clive!