Based on this from @Yuri Diogenes what we're trying to do is understand the best way of implmenting Log Analytics to support both functions in the best way possible & ensuring we don't limit the functionality of either - https://techcommunity.microsoft.com/t5/Security-Identity/Integrating-Azure-Security-Center-with-Azur...
With Regards to Azure Sentinel & ASC:
- We know they are two different products for two different areas of focus – no probs
What we are doing is getting this working for another customer as well... - IF ASC has it's own Workspace then ALL ASC content/logs goes here and ONLY the Alerts (not the full logs) will be forwarded to Sentinel
- I think we can all agree this is not ideal - Sentinel will be missing the full context of the ASC feed...?
- The reason for clarifying this is that there almost seems to be some form of "Automated" control that means as you enable a Workspace for ASC that it seems to "break" any existing workspace from Seintinel and enforce it's own connection... It certainly seems to be an area that's not very clear?
Should we be considering any of the following:
- Do we potentially look at Multi-homing the agents?
https://docs.microsoft.com/en-us/azure/security-center/security-center-planning-and-operations-guide... - What is the best practices way of approaching this?
https://docs.microsoft.com/en-us/azure/security-center/security-center-faq#how-can-i-use-my-existing...
- Use existing Log Analytics...?
https://docs.microsoft.com/en-us/azure/security-center/security-center-faq#should-i-opt-out-of-the-a... - Quote:
If you want to avoid creation of multiple workspaces per subscription and you have your own custom workspace within the subscription, then you have two options:
- You can opt out of automatic provisioning. After migration, set the default workspace settings as described in How can I use my existing Log Analytics workspace?
- Or, you can allow the migration to complete, the Microsoft Monitoring Agent to be installed on the VMs, and the VMs connected to the created workspace. Then, select your own custom workspace by setting the default workspace setting with opting in to reconfiguring the already installed agents. For more information, see How can I use my existing Log Analytics workspace?
I hope this makes sense?
My own take would be to use a single workspace. Not being an ASC expert, I might be missing some advantage to the multiple workspaces, however multi-homing to dual workspaces incurs additional cost. So I would not multi-home unless there is a clear need.
Note that you don't have to opt out of automatic provisioning. The quoted text is somewhat misleading in this respect. You actually set the workspace used for automatic provisioning to an existing rather than automatically created one. The screenshot clarifies that ("automatic provisioning" is on, and"use another workspace" is selected)
