Forum Discussion
Solved
Sentinel across multi-region/workspaces
We have resource deployed in two regions, East US and Central US. We are using Central US as as zone pair to East US and with that was wondering if I need to create a log analytics workspace for the ...
Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...
union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
| where TimeGenerated >= ago(1h)
| where UpdateState == "Needed"
| summarize dcount(Computer) by ClassificationYou can even save a query like this as a Function so you can just use the Function alias to use it.
Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.
Reasons why you might want to use multiple workspaces:
- Use of multiple Azure tenants
- For compliance and sovereignty reasons
- To reduce networking costs across regions
Reasons to avoid multiple workspaces:
- Separate billing
- Fine grained retention settings
- Fine grained access control
- Legacy architecture
Rod_Trent- thx for the reply and information.
The reason I thought I would need multiple workspaces is because we have resources in different regions. Is it possible to have resources is one region forward metrics/events via the diagnostic and log analytics agent to another region (in my case resources in the Central region forwarding metrics/events to the East region)?
Thx
Rod_Trent
Microsoft
MicrosoftJeff Walzer Yes, absolutely. Azure Sentinel becomes the single pane of glass for your entire infrastructure.
