Share via

Setting up Sentinel to get logs from multiple regions

Jeff Fazio 36 Reputation points
2022-01-05T20:38:13.077+00:00

I am looking into setting up Sentinel to be able to get logs from multiple regions for PCI requirements. I see where you setup the first log analytics workspace but do you have to setup a workspace in each region and if so, is there a way to add all the workspaces to a single instance of sentinel?

So if I initially setup sentinel in East US but I will also need logs from resources in Canada, UK and Asia Pacific is there a way to add those workspaces or is that even the best way to do it.

Thanks

Microsoft Security Microsoft Sentinel
0 comments
Accepted answer
  1. George Moise 2,361 Reputation points Microsoft Employee
    2022-01-07T10:07:27.223+00:00

    Hi again Jeff,

    In your Azure Portal, after you search for Microsoft Sentinel, you will end up in a window like the one below, where you will see all the Sentinel Enabled Log Analytics Workspaces.
    You are able to see here the ones in your Tenant and on which your account have at least Reader permissions.

    In this view, you have the checkboxes that you can use to select multiple workspaces and then you can click on View incidents to see all the incidents from the selected Sentinel Workspaces in the same Incident View.

    163108-sentinel.jpg

    I hope it helps,
    George

    P.S. Please don't forget to accept the answers :)

    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-01-05T21:44:06.057+00:00

    Yes, a workspace is tied to a specific region, so if the data needs to be kept in different Azure geographies, it must be split into separate workspaces. But you can associate multiple workspaces with a single Sentinel instance. For best practices about designing your setup, see Design your Microsoft Sentinel Workspace Architecture.

    You can also view incidents in multiple workspaces at once through the Multiple Workspace View.

    Note that Azure does not yet support sending or migrating logs from one workspace to another.

    Let me know if this helps.

    0 comments
  2. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2022-01-05T22:40:11.19+00:00

    Agreed. Global users often have geo-regional Sentinel instances\workspaces. The best practice is to have as few as possible. Data sovereignty usually dictates separating data by large geo regions.

    One correction. You cannot have multiple workspaces under a single Sentinel instance. Each Sentinel workspace has a separate Sentinel portal. Pivoting between these portals in the same tenant is very easy (or spanning multiple tenants using Lighthouse). There are workbooks and incident views that make it easier to visualize multiple Sentinel instances in a single view. KQL supports cross-workspace queries, making it possible to visualize or monitor across multiple workspaces. Analytic rules can be imported and exported in the portal, making it easy to manage rules from a designated master instance.

    0 comments
  3. George Moise 2,361 Reputation points Microsoft Employee
    2022-01-06T10:24:08.917+00:00

    Hi Jeff,
    On top of the previous answers (yes, the recommendation is to have 1 Sentinel Workspace for each Region), just be aware that you can also visualize the Incidents from all Sentinel Workspaces using the Multi Workspace Incident View available for up to 10 Sentinel Workspaces at once:
    Work with incidents in many workspaces at once

    BR,
    George

    0 comments
  4. Jeff Fazio 36 Reputation points
    2022-01-06T13:53:08.557+00:00

    Thank you all for the information. It's very helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.