SOLVED

Send to Sentinel logs from many Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-2802084%22%20slang%3D%22en-US%22%3ESend%20to%20Sentinel%20logs%20from%20many%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2802084%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20dear%20colleagues%2C%20we%20have%20several%20Log%20Analytics%20workspaces%20(13)%20and%20one%20Azure%20sentinel.%20Is%20it%20possible%20to%20send%20logs%20from%20our%2013%20Log%20Analytics%20Workspaces%20to%20one%20Azure%20Sentinel%20workspace%3F%20Is%20it%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2802576%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20to%20Sentinel%20logs%20from%20many%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2802576%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1031639%22%20target%3D%22_blank%22%3E%40Artem_Rozhko%3C%2FA%3E%26nbsp%3BAn%20Azure%20Sentinel%20instance%20can%20only%20work%20against%201%20Log%20Analytics%20workspace.%26nbsp%3B%20You%20have%20a%20few%20options%20here.%26nbsp%3B%201)%20Have%20all%20the%20resources%20send%20their%20logs%20to%20a%20single%20Log%20Analytics%20workspace%20and%20have%20Azure%20Sentinel%20use%20that.%20(probably%20the%20best%20solution%20if%20feasible)%202)%20Use%20something%20like%20an%20Event%20Hub%20and%20have%20the%20other%2012%20workspaces%20send%20their%20data%20into%20the%201%20that%20Azure%20Sentinel%20uses%20(not%20recommended)%26nbsp%3B%203)%20Create%20an%20Azure%20Sentinel%20instance%20for%20each%20Log%20Analytic%20workspace%20and%20then%20use%20Azure%20Lighthouse%20to%20provide%20an%20overall%20picture%20of%20all%20the%20incidents%20that%20occur.%26nbsp%3B%20Basically%20treating%20your%20environment%20like%20a%20MSSP%20(2nd%20best%20option%20but%20easiest%20to%20implement).%26nbsp%3B%20%26nbsp%3B%20Just%20remember%20that%20if%20you%20do%20associate%20a%20Log%20Analytics%20workspace%20with%20Azure%20Sentinel%20there%20is%20an%20additional%20ingestion%20cost%20added.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2803356%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20to%20Sentinel%20logs%20from%20many%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2803356%22%20slang%3D%22en-US%22%3EIf%20you%20want%20to%20learn%20more%20from%20him%2C%20you%20should%20get%20his%20book%20%3CA%20href%3D%22https%3A%2F%2Fwww.amazon.com%2FLearn-Azure-Sentinel-artificial-intelligence%2Fdp%2F183898092X%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.amazon.com%2FLearn-Azure-Sentinel-artificial-intelligence%2Fdp%2F183898092X%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello dear colleagues, we have several Log Analytics workspaces (13) and one Azure sentinel. Is it possible to send logs from our 13 Log Analytics Workspaces to one Azure Sentinel workspace? Is it possible?

 

5 Replies
best response confirmed by Artem_Rozhko (New Contributor)
Solution

@Artem_Rozhko An Azure Sentinel instance can only work against 1 Log Analytics workspace.  You have a few options here.  1) Have all the resources send their logs to a single Log Analytics workspace and have Azure Sentinel use that. (probably the best solution if feasible) 2) Use something like an Event Hub and have the other 12 workspaces send their data into the 1 that Azure Sentinel uses (not recommended)  3) Create an Azure Sentinel instance for each Log Analytic workspace and then use Azure Lighthouse to provide an overall picture of all the incidents that occur.  Basically treating your environment like a MSSP (2nd best option but easiest to implement).    Just remember that if you do associate a Log Analytics workspace with Azure Sentinel there is an additional ingestion cost added.

Wow, thanks Gary for this ultimate answer! I suppose we will use first one option.

@Gary Bushey this is very helpful, thank you. However, I'm interested in knowing why option 2 is not recommended, what are the drawbacks for this approach?

@Hairy_Zeus  The main reason is cost.  You are needlessly duplicating data and you will need to pay the ingestion charges for both workspaces and this includes any of the free data (like O365 logs and Azure audit logs).   It will not be free when being sent to the second workspace