User Profile

ThinkSync

Brass Contributor

Joined 7 years ago

24 Posts12 Likes

View All Badges

User Widgets

Recent Discussions

Cross Workspace Query
Hi all, As a part of our Sentinel on-boarding project, we're in the process of centralising LA workspaces. The Sentinel LA workspace permission is set to"Use resource or workspace permissions", however the cross workspace query below fails with a permission error: workspace("<LA-Workspace-Name>").Heartbeat |whereComputercontains"<ServerName>" Does anyone know if the KQL can be tweaked to avoid delegating read permissions to the LA workspace? Hoping we can do something similar to user using the "logs" option from the VM. Many thanks, Matt
Sep 09, 2020 Place Microsoft Sentinel
851Views
0likes
0Comments

Groups

Recent Blog Articles

No content to show