Dec 03 2020
- last edited on
Jan 04 2022
I am a newbie of Azure Sentinel.
Our env has setup multiple subscriptions and Log analytic workspaces for different productions.
I would like to trigger some rules (from template) in Log analytic workspaces to monitor all our productions. Should I setup rules in every Log analytic workspace or only one of them ? To view all incidents in one workbook, should I forward the logs from different resources (different subscriptions) to one special Log analytic workspaces?
Dec 04 2020 05:25 AM
@cklonger You would need to trigger the rules in each workspace as the rules can only work in one workspace for the most part. You can then use Azure Lighthouse to view the incidents from all your workspaces in one view. Take a look at this page to get you started:
Dec 06 2020 05:57 AM
- It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce.
- You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules.
Dec 07 2020 04:44 AM
@Ofer_Shezaf Correct. I should have specified to use multiple workspaces when using different regions (taking into account the egress charges vs complexity of having multiple environments). Thanks for pointing that out.
Here is a link to a best practices posting (although some of the information is out of date)