Cross workspace incident and events/investigation links

Chris Smith 21 Reputation points
2021-02-16T13:35:55.207+00:00

We have multiple analytics that are running against other workspaces without issue, configured as documented here: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants. However, when an incident occurs, the investigation, events, and entities links all redirect to queries that don't honor the workspace expression and instead are trying to look in the "primary" workspace.

Is this something that can be changed to make it easier to investigate when an incident is raised?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,163 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.