SOLVED

Sentinel across multi-region/workspaces

Iron Contributor

We have resource deployed in two regions, East US and Central US. We are using Central US as as zone pair to East US and with that was wondering if I need to create a log analytics workspace for the resources in Central US, and if so, how do I configure/associate Sentinel to both workspaces?

 

Thx  

5 Replies
best response confirmed by Jeff Walzer (Iron Contributor)
Solution

@Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

 

union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
| where TimeGenerated >= ago(1h)
| where UpdateState == "Needed"
| summarize dcount(Computer) by Classification

 

You can even save a query like this as a Function so you can just use the Function alias to use it.

 

Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

 

Reasons why you might want to use multiple workspaces:

  • Use of multiple Azure tenants
  • For compliance and sovereignty reasons
  • To reduce networking costs across regions

 

Reasons to avoid multiple workspaces:

  • Separate billing
  • Fine grained retention settings
  • Fine grained access control
  • Legacy architecture

 

@Rod_Trent- thx for the reply and information.

 

The reason I thought I would need multiple workspaces is because we have resources in different regions. Is it possible to have resources is one region forward metrics/events via the diagnostic and log analytics agent to another region (in my case resources in the Central region forwarding metrics/events to the East region)?

 

Thx

@Jeff Walzer Yes, absolutely. Azure Sentinel becomes the single pane of glass for your entire infrastructure.

This webinar might interest you also: https://youtu.be/_mm3GNwPBHU

Around 58m they talk about multiple workspaces and your use case

@Thijs Lecomte- TYVM for the link - greatly appreciated

1 best response

Accepted Solutions
best response confirmed by Jeff Walzer (Iron Contributor)
Solution

@Jeff Walzer No need to pair them. You can have multiple workspaces and query across them using a single Azure Sentinel console. Here's an example...

 

union Update, workspace("otherworkspacename").Update, workspace("otherworkspaceID").Update
| where TimeGenerated >= ago(1h)
| where UpdateState == "Needed"
| summarize dcount(Computer) by Classification

 

You can even save a query like this as a Function so you can just use the Function alias to use it.

 

Question is...why do you think you might need multiple Sentinel workspaces? Best practice is to use a single workspace if possible.

 

Reasons why you might want to use multiple workspaces:

  • Use of multiple Azure tenants
  • For compliance and sovereignty reasons
  • To reduce networking costs across regions

 

Reasons to avoid multiple workspaces:

  • Separate billing
  • Fine grained retention settings
  • Fine grained access control
  • Legacy architecture

 

View solution in original post