I'm working with a production tenant that includes a centralized log analytics workspace using Sentinel for security and Defender for Cloud. We use Data Collection Rules (DCRs) and Sentinel connectors to gather logs from all our resources. I also have a small test tenant with only a few virtual machines, and I'm wondering how to effectively secure this test environment. Specifically, how can I get logs from this test tenant into my production workspace? I was advised about using Azure Lighthouse and Multi-Tenant Operations (MTO), but that seems complicated and more suited for managed service providers. Are there any simpler suggestions?
3 Answers
Just for laughs, but have you considered using actual stakes and ropes for the tent? But seriously, maybe focus on a different method to secure your test tenant rather than complicating things with your primary logs.
If you're only testing, mixing your production logs with test data might not be the best idea. Instead, consider replicating your security setup within the test tenant itself. It keeps things simpler and avoids cluttering your production logs with test data. If you want to compare data from both, a separate Sentinel setup for testing could be beneficial. You can use multi-workspace views to analyze incidents across tenants.
Using Azure Lighthouse might be overkill for just a test tenant, but you can definitely employ the underlying tech to transfer logs effectively. This way, you ensure that your test logs are managed without complicating your production environment.
Absolutely! Keeping your test logs separate lets you easily identify issues without sifting through production data.