How to add multiple workspaces to Azure Sentinel

FahadAhmed · ‎Feb 16 2022

Hi there,

Currently we have Azure Sentinel running on workspace "abc" within subscription "123". Now we would like to add another workspace "efg" that is within subscription "456" to the already running sentinel instance connected to workspace "abc".

Can any one guide me if this is even possible? if yes, how to add an additional workspace in existing sentinel instance in a different subscription?

any help will be appreciated.

Thanks

Fahad.

Clive_Watson · ‎Feb 16 2022

Just create "efg" then add it to Sentinel. Providing the subscriptions are in the same tenant (Directory) you are ok, if they are not you will need Azure Lighthouse.

FahadAhmed · ‎Feb 16 2022

so subscriptions are in the same tenant. When you are saying "Just create "efg" then add it to Sentinel." are you referring to add this workspace to a new Azure Sentinel instance or the existing Sentinel instance that already has "abc" workspace connected? if "efg" will need to be connected then please guide how? since I am new here n dont see anything that can point of how to add an existing workspace to an existing sentinel instance that is already connected to another workspace.

Clive_Watson · ‎Feb 16 2022

@FahadAhmed

From Sentinel the UI --> +Create --> you then get an option to "create New Workspace" or Add an existing one - just select a Workspace then press [add]

Sergei2435 · ‎Feb 16 2022

@Clive_Watson

Clive, I think Fahad was asking if it's possible to map one Sentinel instance to multiple workspaces.

@FahadAhmed Please let me know if I'm wrong, Fahad.

If we follow your suggestion Clive, we will have multiple Sentinels: one for each log analytics workspace. That seems right to me. It is not possible to connect multiple workspaces to a single Sentinel instance, isn't it?

Thanks

FahadAhmed · ‎Feb 16 2022

Indeed, you cannot map one sentinel instance to multiple workspaces, so multiple workspaces means multiple sentinel instances.

While you have the ability to run multi-workspace queries against multiple sentinel instances in one go, you will still need manage settings and so forth separately for each sentinel instance.

Clive_Watson · ‎Feb 16 2022

Sorry if I wasn't clear...yes one Workspace per Sentinel instance.

FahadAhmed · ‎Feb 16 2022

@Sergei2435 yeah that was exactly my questions.

FahadAhmed · ‎Feb 16 2022

Thanks Jonhed , Clive_watson and Sergei. Appreciate your support and clarifications.

FahadAhmed · ‎Feb 16 2022

Indeed, you cannot map one sentinel instance to multiple workspaces, so multiple workspaces means multiple sentinel instances.

While you have the ability to run multi-workspace queries against multiple sentinel instances in one go, you will still need manage settings and so forth separately for each sentinel instance.

View solution in original post

How to add multiple workspaces to Azure Sentinel

How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Re: How to add multiple workspaces to Azure Sentinel

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

How to add multiple workspaces to Azure Sentinel