![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 57.99999999999999%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hello, @Atul Sathe !
I reached out internally to some security and Azure Sentinel contacts to give you a better answer to your questions:
Can this solution further optimized to restrict to collect the asset logs from all 5 datacenters into single Log analytics workspace ?
Yes. You can have 1 central Sentinel/log a workspace and have all assets reporting to it.
Still satisfy the requirement of data center level access ?
Yes. You can use resource centric RBAC. See Manage access to Azure Sentinel data by resource | Microsoft Learn. Basically you would grant access to 1 person for the data center for resources to 1 data center (likely resources in one subscription or resource group). Then when they query the workspace they could see only logs for resource they have access too. This is for all the logs for that resource. In sentinel things like incidents would not support that as they are not resource specific.
Is there any mechanism in sentinel to capture current logged in user on Azure ?
No. The only log in information is in Azure sign in logs but there are also log audit logs which show which queries are being run and by whom. You could get close to seeing who is logged in by looking at their queries, but doesn't mean they are specifically logged into Azure Sentinel.