8: Workspaces and Architecture Flashcards
(15 cards)
What is a Log Analytics workspace in Sentinel?
It’s the underlying data store where Sentinel collects, stores, and queries log data.
Can Sentinel use more than one workspace?
Each Sentinel instance is tied to one workspace, but organizations can deploy multiple workspaces as needed.
What is a multi-workspace environment?
An architecture where different teams, regions, or enclaves each have their own Sentinel-connected workspace.
Why would someone use multiple workspaces?
For data sovereignty, separation of duties, performance, or compliance with enclave-specific rules.
What is Azure Lighthouse?
A service that lets you manage and monitor multiple customer or internal tenants and workspaces from a single pane of glass.
Can Sentinel support multiple tenants?
Yes, with Azure Lighthouse or custom ingestion pipelines, Sentinel can operate across tenants.
What is the benefit of linking multiple workspaces?
It enables centralized visibility while preserving data boundaries and delegated ownership.
What’s the downside of multiple workspaces?
Harder to correlate data across them and requires careful planning of content deployment and automation.
What’s a hybrid architecture in Sentinel?
An environment where Sentinel ingests data from both cloud-native and on-prem systems.
What is a “spoke and hub” model in Sentinel?
A common design where separate workspaces (spokes) ingest data locally, while a central workspace (hub) provides unified visibility.
Can I see all incidents across workspaces in one place?
Not natively in the portal, but Azure Lighthouse or custom queries across workspaces can provide that visibility.
Can automation run across workspaces?
Yes, but it requires configuration—playbooks must have permissions to act across workspaces.
Can I search logs across multiple workspaces at once?
Yes, using cross-workspace KQL queries with workspace() functions.
Can I ingest the same data into multiple workspaces?
Technically yes, but it increases cost and complexity—typically avoided unless necessary.
Is there a best practice for organizing workspaces?
Use one per mission set, enclave, or security boundary—balance isolation and manageability.
