Disaster Recovery Design for Microsoft Sentinel

Brass Contributor

I would like to know if there is a recommended design for disaster recovery of Sentinel SIEM like placing another Log Analytic workspace in a paired region. then pointing the DR servers to report to this LAW.


If in case I need a live DR then do I have to replicate the log analytic workspace to the other paired region and what is the best method to do this replication?


4 Replies


Remember that the underlying storage and platform is highly available, and more so in Azure Regions with Availability Zones. Microsoft did have a preview a while back (two years???) to look at allowing a customer to perform a failover from one region/workspace to another, but it was paused.

If you want VM's and a Active/Active capability you can multi-home to two workspaces at once, however that will double your costs (so maybe only protect critical VM's that way?).
Note, not all resources allow this capability, but VMs with AMA (Windows and Linux) do allow multi-homing, or just Windows with the MMA deployed)

Thanks for the feedback Clive!
Can you explain more about the preview that Microsoft had for allowing a customer to perform a failover from one region/workspace to another? Why was it paused?
How can I determine which resources allow for multi-homing with VMs, and which ones do not?
Can you elaborate on the costs associated with multi-homing to two workspaces at once, and provide some guidance on how to determine which VMs to protect in this way?
Sorry that's a question you'd have to ask Microsoft - I suspect (and its a guess) that the Availability Zone feature meets the minimum required for most.

Costs to multi-home are roughly double anything you ingest. So if you ingest 1GB today, it will be 2GB across two workspaces. This is only a rough estimate as other licences and workspace Tiering could affect the overall cost.
You'll know your VMs the best - I'd start with the most critical ones. You'd also need to know exactly why the data needs to be available to justify the cost and complexity. e.g. whats the business need or risk you are mitigating if the data isn't near instantly available in a secondary workspace (this will help justify the costs).