A SOC team uses Microsoft Sentinel with multiple workspaces distributed across different regions. They need to create a single analytics rule that can query data from multiple workspaces to detect cross-tenant attacks. What is the recommended approach?
The KQL workspace() function allows a single analytics rule to query tables from multiple Log Analytics workspaces, enabling cross-workspace detection.
Why this answer
The recommended approach is to use cross-workspace queries in a single analytics rule with the workspace() function. This allows the rule to query data from multiple Sentinel workspaces in different regions without duplicating rules or ingesting data centrally. The workspace() function enables a single KQL query to reference tables from up to 100 workspaces, making it ideal for detecting cross-tenant attacks across distributed environments.
Exam trap
The trap here is that candidates may think Azure Lighthouse alone solves the problem, but it only provides management plane access; the actual query logic still requires the workspace() function to combine data in a single rule.
How to eliminate wrong answers
Option A is wrong because creating separate analytics rules for each workspace would require managing multiple rules, increasing complexity and failing to correlate events across workspaces in a single detection. Option C is wrong because creating a union workspace that ingests data from all workspaces would require duplicating data ingestion, increasing costs and latency, and is not a native Sentinel feature for cross-workspace queries. Option D is wrong because Azure Lighthouse provides cross-tenant management capabilities but does not allow a single analytics rule to query multiple workspaces; rules must still be created per workspace or use cross-workspace queries.