Default log analytics workspace for Security Center? RRS feed

  • Question

  • I am confused. I have 3 log analytics workspaces. In first workspace "A" I have Automatic Updates with 3 VMs. In second "B" I have 10 VMs and in third "C" I have nothing.

    Now I want to create custom Microsoft Antimalware alert rule for all these VMs. But in Security Center I need to choose workspace in custom alert rule and here is my problem. I can choose only third workspace "C". What now? Should I move all VMs from rest 2 workspaces "A" "B" and move them to this third "C" and then create rule after VMs will be connected to "C" workspace?

    And one more thing I don´t understand. When I check third workspace "C" that security center offers me, there is no data from security alerts. But when I look to second workspace "B" I can see security alerts data which ones security center show me. So this is even more confusing for me and I don´t understand how security center and workspace communicate? Or is there some default workspace for security center? If yes why in custom alert rules offer me different workspace than security alerts data are stored in?

    Wednesday, February 27, 2019 1:03 PM

All replies

  • can you please check if workspace C is associated with your Azure Subscription ? Also, you must need read permissions to access the workspace.  
    Saturday, March 2, 2019 12:12 AM
  • All workspaces mentioned are associated with my subscription. I have Owner permission on every workspace inherited from subscription.
    Thursday, March 7, 2019 9:08 AM