Apr 15 2021 03:49 AM
We are currently planning a new Azure presence. Each of our environments is distinct (Prod/Pre-Prod/Non-Prod) within different subscriptions with each having its own Log Analytic Workspace. When looking at how we do SIEM with Sentinel we have discovered the one-to-one relationship between Sentinel and the LAW.
Operating three instances of Sentinel within our environments seems like it won't provide value - I'm thinking about lateral movement, and the ability to detect someone gathering information in lesser environments to use against Prod.
I see that the only way in which Sentinel can use multiple workspaces is to use Lighthouse. Is this a valid solution in our use case? Will it provide the ability to correlate across multiple LAW/Sentinel instances. Or is this a sledgehammer to crack a nut - i.e. is there an easier and better way in which to operate.
Apr 15 2021 03:58 AM
Apr 15 2021 06:37 AM