Cross-workspace Query Best Practice for Microsoft Sentinel
Crossing I's, Dotting T's
Cross-workspace queries are the life’s blood for any Microsoft Sentinel customer managing multiple workspaces, or partners that are managing multiple customers.
Cross-workspace queries can follow a few different formats:
Using just the workspace names: workspace("bionicslab").Update | count
Using the fully qualified names: workspace('sixmillion/dollarman/bionicslab').Update | count
Or using the workspace ID: workspace("b459b4u5-912x-46d5-9cb1-p43069212nb4").Update | count
While all of these options are intended to be just fine, you may find (hint: you will find) that using the workspace ID provides better performance than using the workspace names or the fully qualified names.
You can, of course, locate the Workspace ID in the Overview pane of the Log Analytics workspace.
You can also use the following KQL query in Azure Resource Graph Explorer to locate all the Workspace IDs.
resources
| where type == "microsoft.operationalinsights/workspaces"
| where properties['retentionInDays'] == "90"
| project properties['customerId']
Thanks goes to LucyIsOpal from Twitter who read this post and supplied the query.
https://twitter.com/LucyIsOpal/status/1648249592612364288?s=20
Original query location: https://github.com/QueenSquishy/acid/blob/main/Queries/Sentinel/WorkspaceID_for_Sentinel_lookup
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]