Workspace and Sentinel how it will work

Copper Contributor

Dear All,

I have my company server and worspace located in 3 regions i.e US, Europe and India and data is flowing from those specific locations to the respective workspace for example US data will go to US workspace.


We wanted to continue the same but the issue is we wanted now to have our security team setup and we are planning to have it in India only so we ran sentinel on top of India workspace now the question is how to monitor the US and europe workspace?


Kindly let me know the answer from the following prespective


1) The cost effiecnent way?

2) The best practice in these scenario's?

3) Can we use azure lighthouse?


3 Replies
1. If data compliance aggress, target the logs to a single workspace.
a. This will help you to query in a single workspace.
b. In case of a high data ingestion, you will be able to leverage commitment tiers.
3. Lighthouse is used in case of multi-tenancy which does not seem to be use case here.
This brings up another question what data sources being ingested
Heartbeat - Free
SecuityEvent - Will be billing same as of now.
Hope this helps.
Didnt get it.

Lets make it simple

If we have 2 workspace in two separate region 1 in us and another in india

Sentinel running on india workspace only but in future i want to monitor us site also
Whats best practice?
Do i need 2 sentinel?
Assess (Data compliance/ Any other requirements) if we the log sources from another location (US) can point to initial location (India)
Else, you have to have 2 different Sentinel Instance and use cross workspace queries to join for your use cases