Sample Log Analytics workspace designs for Microsoft Sentinel (2024)

Table of Contents
In this article Sample 1: Multiple tenants and regions Contoso tenants Contoso compliance and regional deployment Contoso resource types and collection requirements Contoso access requirements Contoso's solution Sample 2: Single tenant with multiple clouds Fabrikam tenancy requirements Fabrikam compliance and regional deployment Fabrikam resource types and collection requirements Fabrikam access requirements Fabrikam's solution Sample 3: Multiple tenants and regions and centralized security Adventure Works tenancy requirements Adventure Works compliance and regional requirements Adventure Works resource types and collection requirements Adventure Works access requirements Adventure Works solution Next steps FAQs
  • Article

This article describes suggested Log Analytics workspace designs for organizations with the following sample requirements:

  • Multiple tenants and regions, with European Data Sovereignty requirements
  • Single tenant with multiple clouds
  • Multiple tenants, with multiple regions and centralized security

For more information, see Design a Log Analytics workspace architecture.

This article is part of the Deployment guide for Microsoft Sentinel.

Sample 1: Multiple tenants and regions

The Contoso Corporation is a multinational business with headquarters in London. Contoso has offices around the world, with important hubs in New York City and Tokyo. Recently, Contoso has migrated their productivity suite to Office 365, with many workloads migrated to Azure.

Contoso tenants

Due to an acquisition several years ago, Contoso has two Microsoft Entra tenants: contoso.onmicrosoft.com and wingtip.onmicrosoft.com. Each tenant has its own Office 365 instance and multiple Azure subscriptions, as shown in the following image:

Sample Log Analytics workspace designs for Microsoft Sentinel (1)

Contoso compliance and regional deployment

Contoso currently has Azure resources hosted in three different regions: US East, EU North, and West Japan, and strict requirement to keep all data generated in Europe within Europe regions.

Both of Contoso's Microsoft Entra tenants have resources in all three regions: US East, EU North, and West Japan

Contoso resource types and collection requirements

Contoso needs to collect events from the following data sources:

  • Office 365
  • Microsoft Entra sign-in and audit logs
  • Azure Activity
  • Windows Security Events, from both on-premises and Azure VM sources
  • Syslog, from both on-premises and Azure VM sources
  • CEF, from multiple on-premises networking devices, such as Palo Alto, Cisco ASA, and Cisco Meraki
  • Multiple Azure PaaS resources, such as Azure Firewall, AKS, Key Vault, Azure Storage, and Azure SQL
  • Cisco Umbrella

Azure VMs are mostly located in the EU North region, with only a few in US East and West Japan. Contoso uses Microsoft Defender for servers on all their Azure VMs.

Contoso expects to ingest around 300 GB/day from all of their data sources.

Contoso access requirements

Contoso’s Azure environment already has a single existing Log Analytics workspace used by the Operations team to monitor the infrastructure. This workspace is located in Contoso Microsoft Entra tenant, within EU North region, and is being used to collect logs from Azure VMs in all regions. They currently ingest around 50 GB/day.

See Also
Design a Log Analytics workspace architecture - Azure MonitorIntegrating Microsoft Sentinel with GitHubAzure Public IP - inbound connection limitations and metrics - Microsoft Q&AConnect your data sources to Microsoft Sentinel by using data connectors

The Contoso Operations team needs to have access to all the logs that they currently have in the workspace, which include several data types not needed by the SOC, such as Perf, InsightsMetrics, ContainerLog, and more. The Operations team must not have access to the new logs that are collected in Microsoft Sentinel.

Contoso's solution

Constoso's solution includes the following considerations:

  • Contoso already has an existing workspace, and they'd like to explore enabling Microsoft Sentinel in that same workspace.
  • Contoso has regulatory requirements, so we need at least one Log Analytics workspace enabled for Microsoft Sentinel in Europe.
  • Most of Contoso's VMs are the EU North region, where they already have a workspace. Therefore, in this case, bandwidth costs aren't a concern.
  • Contoso has two different Microsoft Entra tenants, and collects from tenant-level data sources, like Office 365 and Microsoft Entra sign-in and audit logs, and we need at least one workspace per tenant.
  • Contoso does need to collect non-SOC data, although there isn't any overlap between SOC and non-SOC data. Also, SOC data accounts for approximately 250 GB/day, so they should use separate workspaces for the sake of cost efficiency.
  • Contoso has a single SOC team that will be using Microsoft Sentinel, so no extra separation is needed.
  • All members of Contoso's SOC team will have access to all the data, so no extra separation is needed.

The resulting workspace design for Contoso is illustrated in the following image:

Sample Log Analytics workspace designs for Microsoft Sentinel (2)

The suggested solution includes:

  • A separate Log Analytics workspace for the Contoso Operations team. This workspace will only contain data that's not needed by Contoso’s SOC team, such as the Perf, InsightsMetrics, or ContainerLog tables.
  • Two Log Analytics workspaces enabled for Microsoft Sentinel, one in each Microsoft Entra tenant, to ingest data from Office 365, Azure Activity, Microsoft Entra ID, and all Azure PaaS services.
  • All other data, coming from on-premises data sources, can be routed to one of the two workspaces.

Sample 2: Single tenant with multiple clouds

Fabrikam is an organization with headquarters in New York City and offices all around the United States. Fabrikam is starting their cloud journey, and still needs to deploy their first Azure landing zone and migrate their first workloads. Fabrikam already has some workloads on AWS, which they intend to monitor using Microsoft Sentinel.

Fabrikam tenancy requirements

Fabrikam has a single Microsoft Entra tenant.

Fabrikam compliance and regional deployment

Fabrikam has no compliance requirements. Fabrikam has resources in several Azure regions located in the US, but bandwidth costs across regions aren't a major concern.

Fabrikam resource types and collection requirements

Fabrikam needs to collect events from the following data sources:

  • Microsoft Entra sign-in and audit logs
  • Azure Activity
  • Security Events, from both on-premises and Azure VM sources
  • Windows Events, from both on-premises and Azure VM sources
  • Performance data, from both on-premises and Azure VM sources
  • AWS CloudTrail
  • AKS audit and performance logs

Fabrikam access requirements

The Fabrikam Operations team needs to access:

  • Security events and Windows events, from both on-premises and Azure VM sources
  • Performance data, from both on-premises and Azure VM sources
  • AKS performance (Container Insights) and audit logs
  • All Azure Activity data

The Fabrikam SOC team needs to access:

  • Microsoft Entra sign-in and audit logs
  • All Azure Activity data
  • Security events, from both on-premises and Azure VM sources
  • AWS CloudTrail logs
  • AKS audit logs
  • The full Microsoft Sentinel portal

Fabrikam's solution

Fabrikam's solution includes the following considerations:

  • Fabrikam has no existing workspace, so they'll automatically need a new workspace.

  • Fabrikam has no regulatory requirements that requires them to keep data separate.

  • Fabrikam has a single-tenant environment, and wouldn't need separate workspaces per tenant.

  • However, Fabrikam will need separate workspaces for their SOC and Operations teams.

    The Fabrikam Operations team needs to collect performance data, from both VMs and AKS. Since AKS is based on diagnostic settings, they can select specific logs to send to specific workspaces. Fabrikam can choose to send AKS audit logs to the Log Analytics workspace enabled for Microsoft Sentinel, and all AKS logs to a separate workspace, where Microsoft Sentinel isn't enabled. In the workspace where Microsoft Sentinel isn't enabled, Fabrikam will enable the Container Insights solution.

    For Windows VMs, Fabrikam can use the Azure Monitoring Agent (AMA) to split the logs, sending security events to the workspace, and performance and Windows events to the workspace without Microsoft Sentinel.

    Fabrikam chooses to consider their overlapping data, such as security events and Azure activity events, as SOC data only, and sends this data to the workspace with Microsoft Sentinel.

  • Fabrikam needs to control access for overlapping data, including security events and Azure activity events, but there's no row-level requirement. Since security events and Azure activity events aren't custom logs, Fabrikam can use table-level RBAC to grant access to these two tables for the Operations team.

The resulting workspace design for Fabrikam is illustrated in the following image, including only key log sources for the sake of design simplicity:

Sample Log Analytics workspace designs for Microsoft Sentinel (3)

The suggested solution includes:

  • Two separate workspaces in the US region: one for the SOC team with Microsoft Sentinel enabled, and another for the Operations team, without Microsoft Sentinel.
  • The Azure Monitoring Agent (AMA), used to determine which logs are sent to each workspace from Azure and on-premises VMs.
  • Diagnostic settings, used to determine which logs are sent to each workspace from Azure resources such as AKS.
  • Overlapping data being sent to the Log Analytics workspace enabled for Microsoft Sentinel, with table-level RBAC to grant access to the Operations team as needed.

Sample 3: Multiple tenants and regions and centralized security

Adventure Works is a multinational company with headquarters in Tokyo. Adventure Works has 10 different sub-entities, based in different countries/regions around the world.

Adventure Works is Microsoft 365 E5 customer, and already has workloads in Azure.

Adventure Works tenancy requirements

Adventure Works has three different Microsoft Entra tenants, one for each of the continents where they have sub-entities: Asia, Europe, and Africa. The different sub-entities' countries/regions have their identities in the tenant of the continent they belong to. For example, Japanese users are in the Asia tenant, German users are in the Europe tenant and Egyptian users are in the Africa tenant.

Adventure Works compliance and regional requirements

Adventure Works currently uses three Azure regions, each aligned with the continent in which the sub-entities reside. Adventure Works doesn't have strict compliance requirements.

Adventure Works resource types and collection requirements

Adventure Works needs to collect the following data sources for each sub-entity:

  • Microsoft Entra sign-in and audit logs
  • Office 365 logs
  • Microsoft Defender XDR for Endpoint raw logs
  • Azure Activity
  • Microsoft Defender for Cloud
  • Azure PaaS resources, such as from Azure Firewall, Azure Storage, Azure SQL, and Azure WAF
  • Security and windows Events from Azure VMs
  • CEF logs from on-premises network devices

Azure VMs are scattered across the three continents, but bandwidth costs aren't a concern.

Adventure Works access requirements

Adventure Works has a single, centralized SOC team that oversees security operations for all the different sub-entities.

Adventure Works also has three independent SOC teams, one for each of the continents. Each continent's SOC team should be able to access only the data generated within its region, without seeing data from other continents. For example, the Asia SOC team should only access data from Azure resources deployed in Asia, Microsoft Entra Sign-ins from the Asia tenant, and Defender for Endpoint logs from it’s the Asia tenant.

Each continent's SOC team needs to access the full Microsoft Sentinel portal experience.

Adventure Works’ Operations team runs independently, and has its own workspaces without Microsoft Sentinel.

Adventure Works solution

The Adventure Works solution includes the following considerations:

  • The Adventure Works' Operations team already has its own workspaces, so there's no need to create a new one.

  • Adventure Works has no regulatory requirements that requires them to keep data separate.

  • Adventure Works has three Microsoft Entra tenants, and needs to collect tenant-level data sources, such as Office 365 logs. Therefore, Adventure Works should create at least one Log Analytics workspace enabled for Microsoft Sentinel in each tenant.

  • While all data considered in this decision will be used by the Adventure Works SOC team, they do need to segregate data by ownership, as each SOC team needs to access only data that is relevant to that team. Each SOC team also needs access to the full Microsoft Sentinel portal. Adventure Works doesn't need to control data access by table.

The resulting workspace design for Adventure Works is illustrated in the following image, including only key log sources for the sake of design simplicity:

Sample Log Analytics workspace designs for Microsoft Sentinel (4)

The suggested solution includes:

  • A separate Log Analytics workspace enabled for Microsoft Sentinel for each Microsoft Entra tenant. Each workspace collects data related to its tenant for all data sources.
  • Each continent's SOC team has access only to the workspace in its own tenant, ensuring that only logs generated within the tenant boundary are accessible by each SOC team.
  • The central SOC team can still operate from a separate Microsoft Entra tenant, using Azure Lighthouse to access each of the different Microsoft Sentinel environments. If there's no other tenant, the central SOC team can still use Azure Lighthouse to access the remote workspaces.
  • The central SOC team can also create another workspace if it needs to store artifacts that remain hidden from the continent SOC teams, or if it wants to ingest other data that isn't relevant to the continent SOC teams.

Next steps

In this article, you reviewed a set of suggested workspace designs for organizations.

Prepare for multiple workspaces

Sample Log Analytics workspace designs for Microsoft Sentinel (2024)

FAQs

Does Sentinel use log analytics workspace? ›

A single Log Analytics workspace might be sufficient for many environments that use Azure Monitor and Microsoft Sentinel. But many organizations create multiple workspaces to optimize costs and better meet different business requirements.

Read On
How to create a log analytics workspace? ›

Use the Log Analytics workspaces menu to create a workspace.
  1. In the Azure portal, enter Log Analytics in the search box. ...
  2. Select Add.
  3. Select a Subscription from the dropdown.
  4. Use an existing Resource Group or create a new one.
  5. Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace.
6 days ago

Discover More Details
Which is better Splunk or Sentinel? ›

Sentinel also offers built-in machine learning capabilities that can be used to detect malicious or anomalous activity. Splunk is an on-premises platform that offers more flexibility and control over data collection, storage, and analysis. Splunk also has a robust set of features for report generation and dashboarding.

Continue Reading
What is the difference between Sentinel Basic and Analytics logs? ›

Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.

See Details
Is log analytics deprecated? ›

The legacy Log Analytics agent will be deprecated by August 2024. After this date, Microsoft will no longer provide any support for the Log Analytics agent.

Find Out More
How to ingest data to log analytics workspace? ›

Create new table in Log Analytics workspace
  1. Go to the Log Analytics workspaces menu in the Azure portal and select Tables. ...
  2. Specify a name for the table. ...
  3. Select Create a new data collection rule to create the DCR that will be used to send data to this table. ...
  4. Select the DCR that you created, and then select Next.

Tell Me More
What is the difference between Azure monitor workspace and log analytics workspace? ›

Log Analytics workspaces contain logs and metrics data from multiple Azure resources, whereas Azure Monitor workspaces currently contain only metrics related to Prometheus.

Show Me More
Where is your log data stored in Sentinel? ›

Microsoft Sentinel stores customer data in the same geography as the Log Analytics workspace associated with Microsoft Sentinel. Microsoft Sentinel processes customer data in one of two locations: If the Log Analytics workspace is located in Europe, customer data is processed in Europe.

Explore More
Which logs are free in Sentinel? ›

"The following data sources are free with Microsoft Sentinel: Azure Activity Logs. Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams.

Continue Reading
How long does Sentinel keep logs? ›

In your Log Analytics workspace, change the interactive retention policy of the SecurityEvent table from the workspace default of 90 days to 180 days, and the total retention policy to 3 years.

Show Me More

What is Sentinel Log Analytics workspace? ›

A Log Analytics workspace is a data store into which you can collect any type of log data from all of your Azure and non-Azure resources and applications.

Read The Full Story
What is the minimum number of Microsoft Sentinel workspaces that you should create? ›

The unified security operations platform, which provides access to Microsoft Sentinel in the Defender portal, supports only a single workspace.

See Details
How does Sentinel collect logs? ›

NXLog can be configured as a log collector agent for Microsoft Sentinel, collecting and forwarding logs to its Azure Log Analytics workspaces. The logs that NXLog can forward to Microsoft Sentinel include Windows DNS Server logs, Linux audit logs, and AIX audit logs.

Get More Info Here
How do I check audit logs in Sentinel? ›

Turn on auditing and health monitoring for your workspace
  1. In Microsoft Sentinel, under the Configuration menu on the left, select Settings.
  2. Select Settings from the banner.
  3. Scroll down to the Auditing and health monitoring section and select it to expand.
Aug 4, 2024

Continue Reading
What is log analytics workspace? ›

A Log Analytics workspace retains data in two states - interactive retention and long-term retention. During the interactive retention period, you retrieve the data from the table through queries, and the data is available for visualizations, alerts, and other features and services, based on the table plan.

View More
What database does Azure Sentinel use? ›

Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement.

View Details
Top Articles
Is civil engineering a stressful job? | McNeil Engineering | Utah Engineers
Graduate Programs | Ohio University
Funny Roblox Id Codes 2023
Mybranch Becu
Where are the Best Boxing Gyms in the UK? - JD Sports
Combat level
Celebrity Extra
Boomerang Media Group: Quality Media Solutions
DEA closing 2 offices in China even as the agency struggles to stem flow of fentanyl chemicals
Https Www E Access Att Com Myworklife
123 Movies Black Adam
2013 Chevy Cruze Coolant Hose Diagram
Daniela Antury Telegram
Robot or human?
2135 Royalton Road Columbia Station Oh 44028
Calmspirits Clapper
Michael Shaara Books In Order - Books In Order
Jenn Pellegrino Photos
Rams vs. Lions highlights: Detroit defeats Los Angeles 26-20 in overtime thriller
Wausau Obits Legacy
Nurse Logic 2.0 Testing And Remediation Advanced Test
Understanding Genetics
Tu Pulga Online Utah
Qual o significado log out?
Gina Wilson Angle Addition Postulate
Sorrento Gourmet Pizza Goshen Photos
Cylinder Head Bolt Torque Values
Guide to Cost-Benefit Analysis of Investment Projects Economic appraisal tool for Cohesion Policy 2014-2020
Ugly Daughter From Grown Ups
Frequently Asked Questions - Hy-Vee PERKS
Halsted Bus Tracker
L'alternativa - co*cktail Bar On The Pier
Mumu Player Pokemon Go
Colin Donnell Lpsg
SOC 100 ONL Syllabus
Maxpreps Field Hockey
Gpa Calculator Georgia Tech
Philadelphia Inquirer Obituaries This Week
Has any non-Muslim here who read the Quran and unironically ENJOYED it?
Stanley Steemer Johnson City Tn
Smite Builds Season 9
Powerspec G512
Memberweb Bw
Best Haircut Shop Near Me
The Complete Uber Eats Delivery Driver Guide:
60 Days From August 16
Jimmy John's Near Me Open
Helpers Needed At Once Bug Fables
Salem witch trials - Hysteria, Accusations, Executions
What Are Routing Numbers And How Do You Find Them? | MoneyTransfers.com
Latest Posts
Civil engineer | Explore careers
Engineering and how it solves problems
Article information

Author: Kieth Sipes

Last Updated:

Views: 5812

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.