Separate out Activity Logs

Question

Good Afternoon!
We are trying to determine if there is a way to stream activity logs to two separate event hubs at the resource level instead of at the subscription level.
Further information:
We have a single subscription that has resources that are based in the US and Canada. We have two separate sentinel instances running, one in the US and another in Canada. We need to send the respective countries logs to that specific sentinel instance without that data traversing the other country. This can be done for diagnostic logging but we are unsure how to do this for activity logs, if it is even possible.

Right now the option we are looking at is splitting to two separate subscriptions, but that will obviously be a lot of time and work.

Any ideas would be appreciated.

Answer 1

Activity Logs are platform logs that provide insights to subscription-level events. These cannot be "split" by resource, only filtered. To achieve what you are suggesting you would need to either split your resources across multiple subscriptions or use a custom solution to query the data and ingest into Sentinel.

However! It's key to point out that an attacker doesn't care that your resources are split across different geographies and will make it harder for you to perform detailed investigations across your entire enterprise when the data is separated into multiple workspaces. Consider keeping the data together and using automation rules to assign the incidents to the relevant geographical team instead, because alerts from services such as Defender for Endpoint and Azure Active Directory are region agnostic with regards to logging.

Alistair