If you ingest over 1Tb per day into your Microsoft Sentinel workspace and/or have multiple Microsoft Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Microsoft Sentinel.
NOTE: Although this blog refers to a “dedicated cluster for Microsoft Sentinel”, the dedicated cluster being referred to is for Log Analytics, the underlying data store for Microsoft Sentinel. You may find that linked official documents refer to Azure Monitor; Log Analytics is part of the wider Azure Monitor platform.
A dedicated cluster in Microsoft Sentinel does exactly what it says: you are given dedicated hardware in an Azure data center to run your Microsoft Sentinel instance. This enables several scenarios:
Additionally, multiple Microsoft Sentinel workspaces can be added to a dedicated cluster. There are several advantages to using a dedicated cluster from a Sentinel perspective:
There are some considerations and limitations for using dedicated clusters:
The max number of clusters per region and subscription is 2.
The maximum of linked workspaces to cluster is 1000.
You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days.
Cluster move to another resource group or subscription isn't supported at the time of writing this article.
Workspace link to cluster will fail if it is linked to another cluster.
The great news is that you can retrospectively migrate to a dedicated cluster, so if this feature looks like it would be useful to your organization, you can find more information and migration steps here.
With thanks to @Ofer_Shezaf, @Javier Soriano and @Meir Mendelovich for their input into this blog post.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.