Microsoft Sentinel workspace design

Copper Contributor

Hello everyone, 

Microsoft Sentinal sample workspace designs listed here do not fit my requirements


Could anyone please suggest a Sentinal workspace design for an organization with the following requirements:

  1. Single Azure tenant
  2. 20 departments/affiliates/ownership
  3. Split billing /chargeback among different departments/affiliates/ownership
  4. Segregate data or define boundaries based on departments/affiliates/ownership
  5. Single SOC team
  6. Different operational teams (departments/affiliates/ownership)

A general conceptual design will be useful!


Thank you very much


1 Reply
best response confirmed by Emutahar505 (Copper Contributor)
Sounds like you would need a different Sentinel instance per department (possibly each one in its own subscription to make billing easier). Your SOC team would have to have Lighthouse setup to each of these instances in order to be able to see the incidents and respond to them.

It would be very difficult to give you a good design just using this forum. You would probably be better off working with a consultant to give you a thorough design.