This chapter covers the critical design decisions for deploying Microsoft Sentinel workspaces, including region selection, pricing tiers, retention, and data replication. For the SC-200 exam, approximately 10-15% of questions touch on workspace design and configuration. Mastering these concepts is essential for passing the exam and for real-world security operations, as a poorly designed workspace can lead to high costs, data loss, or compliance failures.
Jump to a section
Designing a Microsoft Sentinel workspace is like planning a city's infrastructure. The Log Analytics workspace is the city's central government building, where all records (logs) are stored and processed. Each region (Azure region) is like a city district, and you must decide where to build the government building based on where citizens (users and data) live. If you place it far away, data takes longer to arrive (latency) and costs more to transport (data transfer fees). The workspace's pricing tier is like the city budget: Pay-as-you-go is like paying per citizen service, while Commitment Tiers are like bulk purchasing services at a discount if you know the population will be high. Retention settings are like how long you keep old records in the archive before shredding them. Data replication (RA-GRS) is like having a backup government building in another district in case the primary is destroyed. Just as a city planner must consider population density, growth projections, and budget, a Sentinel architect must evaluate log ingestion volume, compliance requirements, and cost to choose the right region, pricing tier, and retention period. A poorly planned city leads to traffic jams and high costs; a poorly planned workspace leads to high latency, data loss, or budget overruns.
Overview of Microsoft Sentinel Workspace Design
Microsoft Sentinel is built on top of a Log Analytics workspace. Every Sentinel instance is tied to exactly one Log Analytics workspace, and that workspace defines the geographic region, pricing tier, data retention, and access control for all security data. Designing the workspace correctly from the start is crucial because many settings cannot be changed after creation, or changing them requires migrating data to a new workspace.
Why Workspace Design Matters
Cost: Ingestion costs are based on the pricing tier (Pay-as-you-go vs. Commitment Tiers) and the volume of data. Data transfer out of a region incurs additional egress charges.
Performance: The workspace region affects data ingestion latency. Logs generated in a different region than the workspace must traverse the Azure backbone, adding 5-15 ms latency.
Compliance: Data residency requirements may mandate that logs remain within a specific geographic boundary (e.g., EU, US). The workspace region determines where data is stored at rest.
Retention: The default retention is 30 days for interactive queries and up to 2 years for archived logs. Longer retention increases storage costs.
Replication: Azure offers Locally Redundant Storage (LRS) and Geo-Redundant Storage (RA-GRS) for disaster recovery. RA-GRS replicates data to a paired region but may conflict with data residency requirements.
Key Design Decisions
#### 1. Workspace Region
The workspace region is selected at creation and cannot be changed. Choose a region that:
Is close to the majority of your data sources to minimize latency.
Meets data residency compliance requirements. For example, if your organization must keep data within the EU, select a region in Europe.
Supports all required features. Some features like User and Entity Behavior Analytics (UEBA) may not be available in all regions.
Exam Tip: The exam often tests that you cannot move a workspace to a different region. You must create a new workspace and migrate data, which involves downtime and data re-ingestion.
#### 2. Pricing Tier
Sentinel pricing is based on the Log Analytics workspace pricing tier: - Pay-as-you-go: You pay per GB of data ingested. No upfront commitment. Suitable for small or unpredictable volumes. - Commitment Tiers: You commit to a minimum daily volume (100 GB/day, 200 GB/day, 500 GB/day, etc.) and receive a discount (up to 50% for the highest tier). Overages are billed at the Pay-as-you-go rate. - Free Trial: First 31 days free (up to 10 GB/day per workspace). After trial, you must choose a tier.
Important: The commitment tier is applied to the workspace, not per data source. You can change the tier up to twice per billing month. Overages are billed at the Pay-as-you-go rate, so if you consistently exceed your commitment, you may want to move to a higher tier.
Exam Trap: Candidates often think that Commitment Tiers require a fixed monthly payment regardless of usage. In reality, you pay for the committed amount even if you ingest less, but you get a discount compared to Pay-as-you-go for the same volume. If you ingest more, you pay only for the excess.
#### 3. Data Retention and Archiving
Interactive retention: Default is 30 days. You can increase up to 2 years (730 days) for additional cost. This is the period during which data is available for real-time queries.
Long-term retention: After the interactive period, data can be moved to an archive (cold storage) for up to 7 years total. Archive queries are slower and charged per query.
Total retention: The sum of interactive + archive retention cannot exceed 7 years (2556 days).
Configuration: Retention is set at the workspace level but can be overridden for specific tables (e.g., SecurityEvent, CommonSecurityLog) via the Azure portal or using the Set-AzOperationalInsightsTable PowerShell cmdlet.
Exam Value: Know the default interactive retention (30 days) and the maximum total retention (7 years). Also know that archiving is cost-effective for compliance but slower for queries.
#### 4. Data Replication
Azure Log Analytics workspaces use Azure Storage for data persistence. You can choose between: - LRS (Locally Redundant Storage): Data is replicated three times within the same datacenter. Protects against disk failures but not datacenter outages. - RA-GRS (Read-Access Geo-Redundant Storage): Data is replicated to a paired region (e.g., East US to West US). Provides read access to the replica if the primary region fails. Note: RA-GRS may violate data residency requirements because data is stored in two regions.
Default: RA-GRS is the default for new workspaces. You can change to LRS at creation or later via the Azure portal.
Exam Note: You cannot change the replication type after the workspace is created? Actually, you can change from RA-GRS to LRS and vice versa, but it may take 24-48 hours to propagate. The exam may test that RA-GRS is the default and that it supports failover scenarios.
#### 5. Access Control
Workspace-level RBAC: Assign roles like Sentinel Reader, Sentinel Responder, or Sentinel Contributor at the workspace scope.
Table-level RBAC: Restrict access to specific tables (e.g., only security analysts can query SecurityEvent).
Resource-level RBAC: If you use resource-context access, users can see alerts and incidents related to resources they own, even if they don't have workspace-level permissions.
Exam Focus: Understand the difference between workspace-context and resource-context RBAC. Resource-context is recommended for organizations with many teams managing their own resources.
Interaction with Other Azure Services
Azure Policy: Can enforce workspace configuration (e.g., require specific region, retention, or replication type).
Azure Blueprints: Can deploy a complete Sentinel environment with pre-configured workspaces.
Azure Monitor: Sentinel uses the same Log Analytics workspace as Azure Monitor. Sharing a workspace between monitoring and security can reduce costs but may complicate RBAC.
Configuration and Verification Commands
To view workspace properties using Azure CLI:
az monitor log-analytics workspace show --resource-group MyResourceGroup --workspace-name MyWorkspaceTo set retention for a specific table using PowerShell:
Set-AzOperationalInsightsTable -ResourceGroupName MyResourceGroup -WorkspaceName MyWorkspace -TableName SecurityEvent -RetentionInDays 90To change pricing tier:
az monitor log-analytics workspace update --resource-group MyResourceGroup --workspace-name MyWorkspace --sku CapacityReservation --capacity-reservation-level 100(Note: CapacityReservation is the Commitment Tier. The level is in GB/day.)
Assess Data Sources and Volume
Begin by inventorying all data sources that will send logs to Sentinel: Azure resources, on-premises servers, cloud applications (Office 365, AWS, GCP), and third-party security tools. Estimate the daily ingestion volume in GB per data source. For example, a typical Windows Event Log source might generate 1-5 GB/day per server. Use tools like Azure Monitor’s data volume estimates or third-party calculators. This assessment determines the required pricing tier (Pay-as-you-go vs. Commitment) and helps forecast costs. Also identify data residency requirements: some sources may be subject to GDPR, HIPAA, or other regulations that mandate data stay in a specific geographic region. The workspace region must accommodate the most restrictive requirement.
Select Workspace Region
Based on the assessment, choose an Azure region that is close to the majority of data sources to minimize latency and egress costs. For example, if most servers are in the US East, select East US. If compliance requires data to stay in the EU, choose West Europe or North Europe. Verify that all required Sentinel features (e.g., UEBA, Fusion, threat intelligence) are available in that region. Note that you cannot change the region later, so this decision is permanent. If multi-region is needed, you may deploy multiple workspaces and use cross-workspace queries or Azure Lighthouse for centralized management. However, this adds complexity and cost.
Choose Pricing Tier and Retention
With the estimated daily volume, decide whether Pay-as-you-go or a Commitment Tier is more cost-effective. If the volume is stable and above 100 GB/day, a Commitment Tier usually saves money. For example, at 200 GB/day, the Commitment Tier for 200 GB gives a ~30% discount over Pay-as-you-go. Set interactive retention to 90 days (common for security operations) or longer if required by compliance. Archive retention can extend total retention to 7 years. Use the Azure portal or CLI to configure. Remember that retention can be changed later, but decreasing retention will delete data permanently. Also consider enabling long-term retention for compliance tables like SecurityEvent.
Configure Data Replication and Access
Decide on data replication: LRS for cost savings and data residency compliance (data stays in one datacenter), or RA-GRS for disaster recovery (data replicated to paired region). The default is RA-GRS. If you choose LRS, ensure that your organization accepts the risk of data loss during a regional outage. Next, set up access control: create custom roles or use built-in Sentinel roles. For teams that manage their own resources, enable resource-context RBAC. This allows users to see incidents related to their resources without needing workspace-level permissions. Configure table-level RBAC if certain tables (e.g., Heartbeat) should be restricted. Test access with a sample user.
Deploy and Validate
Create the workspace in the Azure portal, specifying the region, pricing tier, retention, and replication type. After creation, connect data sources: enable connectors for Azure services (Azure Activity, Azure AD, etc.), install the Log Analytics agent on Windows/Linux servers, and configure third-party connectors via API or Syslog. Use the Sentinel Overview page to check data ingestion rates. Validate that logs are appearing in the workspace by running a simple KQL query, such as `SecurityEvent | take 10`. Monitor costs in Azure Cost Management + Billing. If actual volume exceeds estimates, adjust the Commitment Tier or switch to Pay-as-you-go. Document the workspace configuration for compliance audits.
Enterprise Scenario 1: Global Retail Chain with GDPR Compliance
A multinational retailer with headquarters in Germany and data centers in the EU, US, and Asia needs to deploy Sentinel for security monitoring. GDPR requires that personal data of EU citizens remain within the EU. The architect decides to create two workspaces: one in West Europe for EU data, and one in East US for US and Asia data. The EU workspace uses LRS to ensure data never leaves the EU region. The US workspace uses RA-GRS for disaster recovery. Each workspace has a Commitment Tier of 200 GB/day based on estimated logs from Azure resources, Office 365, and on-premises servers. Retention is set to 90 days interactive and 2 years archive for EU, and 60 days interactive for US to balance cost and compliance. Cross-workspace queries are used for global threat hunting, but each workspace's data remains isolated. The challenge is managing separate RBAC policies for each region and ensuring that incident response teams have access to the right workspace. The team uses Azure Lighthouse to allow global SOC analysts to query both workspaces from a single pane of glass.
Enterprise Scenario 2: Financial Services Firm with High Volume
A large bank ingests 1 TB of security logs per day from its on-premises servers, cloud workloads, and network appliances. The architect chooses a single workspace in the same region as the primary data center (East US) to minimize latency. Due to the high volume, they select the Commitment Tier at 1000 GB/day, which provides a 50% discount compared to Pay-as-you-go. Interactive retention is set to 30 days (default) because the bank uses a SIEM solution for long-term storage and only needs Sentinel for real-time detection. However, they configure archive retention for 5 years on specific tables (e.g., SecurityEvent, CommonSecurityLog) to meet regulatory requirements. Data replication is RA-GRS to ensure business continuity. The bank uses table-level RBAC to restrict access to sensitive financial transaction logs to a subset of analysts. A common problem is that the ingestion volume occasionally spikes to 1.2 TB/day, causing overage charges. The architect sets up budget alerts to notify when daily volume exceeds 1.1 TB, allowing the team to investigate the spike or adjust the Commitment Tier.
Common Misconfigurations
Choosing the wrong region: An organization with all data in Europe creates a workspace in US East, causing high latency and egress costs. Data residency compliance is violated.
Overpaying for Pay-as-you-go: A company with stable 300 GB/day uses Pay-as-you-go instead of a Commitment Tier, paying 30% more.
Setting retention too low: A healthcare organization sets retention to 30 days, violating HIPAA requirements for 6-year retention. They must then migrate to a new workspace with longer retention.
Using RA-GRS for EU data: A company with GDPR requirements uses RA-GRS, which replicates data to a paired region outside the EU, violating data residency.
What SC-200 Tests on Workspace Design
The SC-200 exam (Objective 2.1: Design a Log Analytics workspace) focuses on the ability to make design decisions based on requirements. You are typically given a scenario with constraints (cost, compliance, latency) and asked to choose the correct configuration. Key areas:
Region selection: Given data sources in multiple geographies, choose a region that minimizes latency and meets data residency. Remember: you cannot change region after creation.
Pricing tier: Know the difference between Pay-as-you-go and Commitment Tiers. Commitment Tiers require a minimum daily volume and provide discounts. Overages are billed at Pay-as-you-go rate.
Retention: Default interactive retention is 30 days. Maximum total retention (interactive + archive) is 7 years. Archive is cheaper but slower to query.
Replication: RA-GRS is default. LRS keeps data in a single region. RA-GRS may violate data residency.
RBAC: Resource-context vs. workspace-context. Resource-context is recommended for decentralized teams.
Common Wrong Answers and Traps
Trap: Choosing a workspace region based on the location of the SOC team, not the data sources. Many candidates think the workspace should be near the analysts for low query latency. However, the primary latency concern is ingestion, not query. Analysts can query from anywhere with acceptable latency. Choose the region near data sources.
Trap: Thinking Commitment Tiers are a fixed monthly cost regardless of usage. Candidates may believe you pay the same even if you use less. Actually, you pay for the committed amount even if you ingest less, but you get a discount. If you use more, you pay extra for overages.
Trap: Assuming you can change the workspace region later. The exam tests that this is not possible. You must create a new workspace and migrate data.
Trap: Confusing retention with archiving. Some candidates think archive retention is the same as interactive retention. Archive is read-only and slower; interactive supports real-time queries.
Specific Numbers and Terms to Memorize
Default interactive retention: 30 days
Maximum total retention: 7 years (2556 days)
Commitment Tier minimum: 100 GB/day
Free trial: 31 days, 10 GB/day
Replication options: LRS and RA-GRS (RA-GRS is default)
RBAC types: workspace-context, resource-context, table-level
Edge Cases
If a workspace is deleted, data is retained for 7 days (soft delete) before permanent deletion.
You can have multiple workspaces, but each Sentinel instance is tied to one workspace.
Cross-workspace queries are possible but incur egress costs if workspaces are in different regions.
Some data sources (e.g., Azure AD) are regional and may not support all regions.
Workspace region is fixed at creation; choose based on data source location and compliance.
Default interactive retention is 30 days; maximum total retention is 7 years.
Commitment Tiers require a minimum daily volume and offer discounts; overages are Pay-as-you-go.
RA-GRS is the default replication; LRS keeps data in a single region.
Resource-context RBAC restricts users to their own resources; workspace-context grants full access.
You cannot change workspace region after creation; migration requires a new workspace.
Free trial: 31 days, up to 10 GB/day per workspace.
Table-level RBAC can restrict access to specific tables (e.g., SecurityEvent).
These come up on the exam all the time. Here's how to tell them apart.
Pay-as-you-go Pricing
No commitment; pay per GB ingested.
Best for small or unpredictable volumes.
No discount; full list price per GB.
No minimum volume required.
Can change to Commitment Tier at any time.
Commitment Tier Pricing
Commit to a minimum daily volume (100 GB/day or more).
Best for stable, high volumes (e.g., >100 GB/day).
Discount up to 50% compared to Pay-as-you-go.
Overage billed at Pay-as-you-go rate.
Can change tier up to twice per billing month.
LRS (Locally Redundant Storage)
Data replicated three times within a single datacenter.
Protects against disk failures, not datacenter outages.
Lower cost than RA-GRS.
Data stays within the selected region.
No read access to replica during normal operation.
RA-GRS (Read-Access Geo-Redundant Storage)
Data replicated to a paired region (e.g., East US to West US).
Provides read access to replica if primary region fails.
Higher cost due to geo-replication.
Data may leave the primary region, affecting compliance.
Default replication option for new workspaces.
Workspace-Context RBAC
Users need Sentinel roles at the workspace level.
Grants access to all data in the workspace.
Simpler for centralized SOC teams.
Does not restrict based on resource ownership.
Requires workspace-level permissions.
Resource-Context RBAC
Users see only alerts/incidents for resources they own.
Recommended for decentralized teams.
No workspace-level role required; uses Azure RBAC at resource level.
Reduces risk of data over-exposure.
More complex to set up initially.
Mistake
You can change the workspace region after creation by updating the location.
Correct
The workspace region is fixed at creation. You cannot change it. To use a different region, you must create a new workspace and migrate data.
Mistake
Commitment Tiers require a fixed monthly payment even if you ingest less than the committed amount.
Correct
You pay for the committed amount regardless of actual ingestion, but you get a discount compared to Pay-as-you-go. If you ingest more, you pay only for the excess at the Pay-as-you-go rate.
Mistake
RA-GRS is the only replication option and cannot be changed.
Correct
You can choose either LRS or RA-GRS at creation, and you can change between them later (though it may take 24-48 hours to propagate). RA-GRS is the default.
Mistake
Data retention includes both interactive and archive, but you cannot delete data before the retention period ends.
Correct
You can delete data manually at any time using the Purge feature (with appropriate permissions). Retention settings only define how long data is kept automatically.
Mistake
Resource-context RBAC gives users full access to all data in the workspace.
Correct
Resource-context RBAC restricts users to see only alerts and incidents related to resources they own. They cannot query other tables or see data from other resources.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, you cannot change the region of a Log Analytics workspace after creation. The region is fixed at the time of creation and cannot be modified. If you need a different region, you must create a new workspace in the desired region and migrate your data. This involves reconnecting data sources and may result in temporary data gaps. Therefore, it is critical to choose the correct region during initial deployment.
Pay-as-you-go charges per GB of data ingested without any upfront commitment. It is ideal for small or variable volumes. Commitment Tiers require you to commit to a minimum daily ingestion volume (e.g., 100 GB/day) and offer a discounted rate (up to 50% off) compared to Pay-as-you-go. If you ingest less than the committed amount, you still pay for the committed volume. If you ingest more, the excess is billed at the Pay-as-you-go rate. You can change the tier up to twice per billing month.
By default, Microsoft Sentinel retains data for 30 days in interactive storage (fast query). You can increase interactive retention up to 2 years (730 days) for an additional cost. After the interactive period, you can move data to long-term archive storage for up to 7 years total (interactive + archive). Archive queries are slower and incur separate query charges. The maximum total retention is 7 years (2556 days).
LRS (Locally Redundant Storage) replicates data three times within the same datacenter, protecting against disk failures but not datacenter outages. RA-GRS (Read-Access Geo-Redundant Storage) replicates data to a paired region in the same geography, providing read access to the replica if the primary region fails. RA-GRS is the default and offers better disaster recovery but may violate data residency requirements because data is stored in two regions. LRS is cheaper and keeps data within a single region.
Use resource-context RBAC when you have multiple teams that manage their own Azure resources and should only see security incidents related to their resources. This approach leverages existing Azure RBAC at the resource level and does not require granting workspace-level permissions. Use workspace-context RBAC when you have a centralized SOC team that needs visibility into all data in the workspace. Resource-context is recommended for decentralized environments to reduce the risk of data over-exposure.
Yes, you can have multiple Microsoft Sentinel workspaces in the same subscription. Each workspace is independent and can be in different regions, have different pricing tiers, and serve different compliance requirements. However, each Sentinel instance is tied to a single workspace, so you cannot have a single Sentinel deployment span multiple workspaces. You can use cross-workspace queries to query multiple workspaces, but this may incur additional costs and complexity.
When you delete a Log Analytics workspace that contains Sentinel, the workspace enters a soft-delete state for 7 days. During this period, the data is retained and can be recovered by restoring the workspace. After 7 days, the workspace and its data are permanently deleted. You can also perform a hard delete (purge) immediately using the Purge feature, which permanently removes the data. Ensure you have exported any necessary data before deletion.
You've just covered Sentinel Workspace Design Considerations — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?