Cross workspace incident and events/investigation links
Chris Smith
21
Reputation points
We have multiple analytics that are running against other workspaces without issue, configured as documented here: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants. However, when an incident occurs, the investigation, events, and entities links all redirect to queries that don't honor the workspace expression and instead are trying to look in the "primary" workspace.
Is this something that can be changed to make it easier to investigate when an incident is raised?
Sign in to answer