Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Sentinel across multiple environments

Copper Contributor

We are currently planning a new Azure presence. Each of our environments is distinct (Prod/Pre-Prod/Non-Prod) within different subscriptions with each having its own Log Analytic Workspace. When looking at how we do SIEM with Sentinel we have discovered the one-to-one relationship between Sentinel and the LAW.


Operating three instances of Sentinel within our environments seems like it won't provide value - I'm thinking about lateral movement, and the ability to detect someone gathering information in lesser environments to use against Prod.


I see that the only way in which Sentinel can use multiple workspaces is to use Lighthouse. Is this a valid solution in our use case? Will it provide the ability to correlate across multiple LAW/Sentinel instances. Or is this a sledgehammer to crack a nut - i.e. is there an easier and better way in which to operate.



2 Replies
Azure Lighthouse is needed if the workspaces are in different tenants, if the three workspaces are within the same tenant/AAD you can view Incidents across all three from the UI.
See Module 3:
Thanks - I hadn't spotted that. Great!