question

AtulSathe-6145 avatar image
0 Votes"
AtulSathe-6145 asked kobulloc-MSFT answered

Advice on creating Log Analytics Workspace

HI Team,
Project :Currently working on a project to build Security Compliance dashboard for 5 Data Centers under Azure Sentinel Service
Current Design :
No of Data centers =5
No Of Log Analytics Workspaces =5 (1 for each data center resources)
No of Sentinel Workspace=1
Each data center has approx. 200+ assets to be onboard on respective Azure log analytics workspaces for monitoring .
Data center users should be able to access the data only for the respective data centers assigned


Problem Statement:
Can this solution further optimized to restrict to collect the asset logs from all 5 datacenters into single Log analytics workspace ?
Still satisfy the requirement of data center level access ?
Is there any mechanism in sentinel to capture current logged in user on Azure ?

azure-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

kobulloc-MSFT avatar image
0 Votes"
kobulloc-MSFT answered

Hello, @AtulSathe-6145!

I reached out internally to some security and Azure Sentinel contacts to give you a better answer to your questions:

Can this solution further optimized to restrict to collect the asset logs from all 5 datacenters into single Log analytics workspace ?
Yes. You can have 1 central Sentinel/log a workspace and have all assets reporting to it.

Still satisfy the requirement of data center level access ?
Yes. You can use resource centric RBAC. See Manage access to Azure Sentinel data by resource | Microsoft Docs. Basically you would grant access to 1 person for the data center for resources to 1 data center (likely resources in one subscription or resource group). Then when they query the workspace they could see only logs for resource they have access too. This is for all the logs for that resource. In sentinel things like incidents would not support that as they are not resource specific.

Is there any mechanism in sentinel to capture current logged in user on Azure ?
No. The only log in information is in Azure sign in logs but there are also log audit logs which show which queries are being run and by whom. You could get close to seeing who is logged in by looking at their queries, but doesn't mean they are specifically logged into Azure Sentinel.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.