Aug 02 2022 07:53 AM
Hi Everyone,
Due to a specific business requirement where different teams will be monitoring different alerts, we are thinking that the best solution would be to have 2 workspaces and 2 sentinels in the same tenant. Some of the alerts will need to be taken from the same logs.
Our question is, can these two sentinels share the same logs, or do the connectors need to be enabled separately which would double the costs?
Aug 02 2022 12:16 PM
If the Alerts are different (or you dont mind naming them or just selecting them), then you could use an Automation rule to assign them to either Group. Both would be able to see each others data and Alerts, but they would be assigned to each Team/Group, by the rule.
e.g. I assigned 3 rules for this group.
note: you need to setup a group for each (I just used "unassigned" as an example). Your other choice is double ingestion like you say, but this does provide separation.