Cross workspace incident and events/investigation links

Chris Smith 21 Reputation points

We have multiple analytics that are running against other workspaces without issue, configured as documented here: However, when an incident occurs, the investigation, events, and entities links all redirect to queries that don't honor the workspace expression and instead are trying to look in the "primary" workspace.

Is this something that can be changed to make it easier to investigate when an incident is raised?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
866 questions
{count} votes