Oct 01 2021 01:32 AM
Oct 01 2021 05:05 AMSolution
@Artem_Rozhko An Azure Sentinel instance can only work against 1 Log Analytics workspace. You have a few options here. 1) Have all the resources send their logs to a single Log Analytics workspace and have Azure Sentinel use that. (probably the best solution if feasible) 2) Use something like an Event Hub and have the other 12 workspaces send their data into the 1 that Azure Sentinel uses (not recommended) 3) Create an Azure Sentinel instance for each Log Analytic workspace and then use Azure Lighthouse to provide an overall picture of all the incidents that occur. Basically treating your environment like a MSSP (2nd best option but easiest to implement). Just remember that if you do associate a Log Analytics workspace with Azure Sentinel there is an additional ingestion cost added.
Oct 01 2021 09:21 AM
Oct 18 2021 04:26 AM - last edited on Nov 08 2023 10:31 PM by wishy
@Hairy_Zeus The main reason is cost. You are needlessly duplicating data and you will need to pay the ingestion charges for both workspaces and this includes any of the free data (like O365 logs and Azure audit logs). It will not be free when being sent to the second workspace