Hi all,

I have question about collecting Azure-related events (Entra ID, Office365, Microsoft Defender and etc.) in a separate Log Analytics workspaces. 
Architecture:
– One Azure tenant 
– Four subscriptions
– Log analytics workspace in every subscription
– Microsoft Sentinel enabled on every Log analytics workspace

My question is: what is the best practice or the best way to collect specific Entra ID events (e.g., events related to accounts used by the finance department) in a specific Log Analytics Workspace (LAW) dedicated to the finance department? Also, how can I collect other events for Office 365 and Microsoft Defender (related to the finance department) and store in (LAW) dedicated to the finance department?

I want to store those events in the default tables for Entra ID, Office 365, and Defender within the LAW. I do not want to store the filtered data in custom tables within the LAWs.

​Hi all, I have question about collecting Azure-related events (Entra ID, Office365, Microsoft Defender and etc.) in a separate Log Analytics workspaces. Architecture:- One Azure tenant – Four subscriptions- Log analytics workspace in every subscription- Microsoft Sentinel enabled on every Log analytics workspaceMy question is: what is the best practice or the best way to collect specific Entra ID events (e.g., events related to accounts used by the finance department) in a specific Log Analytics Workspace (LAW) dedicated to the finance department? Also, how can I collect other events for Office 365 and Microsoft Defender (related to the finance department) and store in (LAW) dedicated to the finance department?I want to store those events in the default tables for Entra ID, Office 365, and Defender within the LAW. I do not want to store the filtered data in custom tables within the LAWs.  Read More

​