This configuration may result in cost savings if it helps you reach a commitment tier, which provides a discount to your ingestion charges.
If access to the security data should be limited to a particular team, you can use table level RBAC to block particular users from tables with security data or limit users to accessing the workspace using resource-context.
See Azure Monitor Logs pricing details.Ĭombing your data from Azure Monitor and Microsoft Sentinel in the same workspace gives you better visibility across all of your data allowing you to easily combine both in queries and workbooks. This scenario typically results in higher costs for operational data in a workspace without Microsoft Sentinel.
AZURE SENTINEL LOG ANALYTICS FREE
This approach may also help to optimize costs since when Microsoft Sentinel is enabled in a workspace, all data in that workspace is subject to Microsoft Sentinel pricing even if it's operational data collected by Azure Monitor.Ī workspace with Microsoft Sentinel gets three months of free data retention instead of 31 days. The decision whether to combine your operational data from Azure Monitor in the same workspace as security data from Microsoft Sentinel or separate each into their own workspace depends on your security requirements and the potential cost implications for your environment.Ĭreating dedicated workspaces for Azure Monitor and Microsoft Sentinel will allow you to segregate ownership of data between operational and security teams. Legacy virtual machine agents have limitations on the number of workspaces they can connect to.Ĭonfigure access to the workspace and to different tables and data from different resources. You need a separate workspace if you require different retention settings for different resources that send data to the same tables.Ĭommitment tiers allow you to reduce your ingestion cost by committing to a minimum amount of daily data in a single workspace. You can set different retention settings for each table in a workspace. For example, you might create workspaces by subsidiaries or affiliated companies.īy placing workspaces in separate subscriptions, they can be billed to different parties. You might choose to create separate workspaces to define data ownership. You might have regulatory or compliance requirements to store data in specific locations. Several data sources can only send monitoring data to a workspace in the same Azure tenant.Įach workspace resides in a particular Azure region. If you have multiple Azure tenants, you'll usually create a workspace in each one. You may also have cost implications to each strategy. Combining them gives you better visibility across all your data, while your security standards might require separating them so that your security team has a dedicated workspace. You may choose to combine operational data from Azure Monitor in the same workspace as security data from Microsoft Sentinel or separate each into their own workspace. The sections that follow describe the criteria. The following table presents criteria to consider when you design your workspace architecture. Consider your requirements and priorities to determine which design will be most effective for your environment. Evaluate each of the criteria independently. Consolidating into a single workspace might allow you to reduce charges even more with a commitment tier. For example, you might be able to reduce egress charges by creating a separate workspace in each Azure region. But some of the criteria might be in conflict. As you identify criteria to create more workspaces, your design should use the fewest number that will match your requirements.ĭesigning a workspace configuration includes evaluation of multiple criteria. Multiple services and data sources can send data to the same workspace. There are no performance limitations from the amount of data in your workspace. Your design should always start with a single workspace to reduce the complexity of managing multiple workspaces and in querying data from them. If you use only one of these services, you can ignore the other in your evaluation. Most of the decision criteria apply to both services. This article discusses Azure Monitor and Microsoft Sentinel because many customers need to consider both in their design.
0 kommentar(er)
