You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sample-workspace-designs.md
-23Lines changed: 0 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -215,29 +215,6 @@ The suggested solution includes:
215
215
- The central SOC team can still operate from a separate Microsoft Entra tenant, using Azure Lighthouse to access each of the different Microsoft Sentinel environments. If there's no other tenant, the central SOC team can still use Azure Lighthouse to access the remote workspaces.
216
216
- The central SOC team can also create another workspace if it needs to store artifacts that remain hidden from the continent SOC teams, or if it wants to ingest other data that isn't relevant to the continent SOC teams.
217
217
218
-
## Combining your SOC and non-SOC data
219
-
220
-
We generally recommend that customers keep a separate workspace for their non-SOC data so that non-SOC data isn't subject to Microsoft Sentinel costs. However, this recommendation for separate workspaces for non-SOC data comes from a purely cost-based perspective, and there are other key design factors to examine when determining whether to use a single or multiple workspaces. To avoid double ingestion costs, consider collecting overlapped data on a single workspace only with table-level Azure RBAC.
221
-
222
-
For example, consider an organization that has security logs ingesting at 50 GB/day, operations logs ingesting at 50 GB/day, and a workspace in the East US region.
223
-
224
-
The following table compares workspace options with and without separate workspaces.
225
-
226
-
> [!NOTE]
227
-
> Costs and terms listed in the following table are fake, and used for illustrative purposes only. For up-to-date cost information, see the Microsoft Sentinel pricing calculator.
228
-
>
229
-
230
-
|Workspace architecture |Description |
231
-
|---------|---------|
232
-
|The SOC team has its own workspace, with Microsoft Sentinel enabled. <br><br>The Ops team has its own workspace, without Microsoft Sentinel enabled. |**SOC team**:<br>Microsoft Sentinel cost for 50 GB/day is $6,500 per month.<br>First three months of retention are free.<br><br>Ops team:<br>- Cost of Log Analytics at 50 GB/day is around $3,500 per month.<br>- First 31 days of retention are free.<br><br>The total cost for both equals $10,000 per month. |
233
-
|Both SOC and Ops teams share the same workspace with Microsoft Sentinel enabled. | By combining both logs, ingestion will be 100 GB / day, qualifying for eligibility for Commitment Tier (50% for Sentinel and 15% for LA). <br><br> |
234
-
235
-
In this example, you'd have a cost savings of $1,000 per month by combining both workspaces, and the Ops team will also enjoy 3 months of free retention instead of only 31 days.
236
-
237
-
This example is relevant only when both SOC and non-SOC data each have an ingestion size of >=50 GB/day and <100 GB/day.
238
-
239
-
For more information, see [Operational and security data](/azure/azure-monitor/logs/workspace-design#operational-and-security-data).
240
-
241
218
## Next steps
242
219
243
220
In this article, you reviewed a set of suggested workspace designs for organizations.
0 commit comments