Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
Forward Alerts from a Secondary Sentinel to a Primary Sentinel Workspace Using Logic Apps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 10%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Madhan R
0
Reputation points
HI,
I am exploring the feasibility of forwarding Microsoft Sentinel alerts from a Secondary sentinel Workspace to a Primary Sentinel Workspace. There are two Sentinels for two LAWs and now we want to forward the alerts in One sentinel (secondary) to another (primary), so that we can monitor from that workspace itself.
I would like guidance on the following:
Best approach to forward alerts between two Sentinel workspaces
Whether using Logic Apps + Log Analytics Data Collector API is the recommended method
Required permissions and configuration for the managed identity or service principal
Any limitations or considerations when forwarding cross-workspace Sentinel alerts
Sample Logic App workflows or REST API examples (if available)
If anyone has implemented a similar cross-workspace Sentinel alert forwarding setup, your inputs or references to documentation would be greatly appreciated.
Thanks in advance!
Microsoft Security | Microsoft Sentinel
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator2025-12-04T05:41:14.9033333+00:00 Hey Madhan R! It sounds like you’re trying to set up a way to forward Microsoft Sentinel alerts from a secondary Log Analytics Workspace (LAW) to a primary Sentinel Workspace. Here’s some guidance to help you out:
Best Approach to Forward Alerts
Using Azure Logic Apps combined with the Log Analytics Data Collector API is indeed one of the recommended methods for forwarding alerts between Sentinel workspaces. Logic Apps allows you to automate workflows and can easily handle the transformation and forwarding of alerts.
Required Permissions & Configuration
- Managed Identity or Service Principal: Ensure that the Logic App has the necessary permissions to access both workspaces. You may need to assign the required role such as Log Analytics Contributor or Microsoft Sentinel Contributor to your Managed Identity or Service Principal in both the secondary and primary workspaces.
- Permissions: Users need to have a Global Administrator or Security Administrator role in their tenant to perform these actions.
Limitations & Considerations
- Alerts generated in the secondary workspace don’t automatically carry over to the primary workspace. You'll need to build your Logic App to handle that transfer.
- Make sure to monitor your Logic App run status to catch any errors in the forwarding process.
- Be aware that some data connectors can only operate in one workspace, so ensure that your connectors in both workspaces are set up correctly without unnecessary duplication.
Sample Logic App Workflows or API Examples
Microsoft provides some examples and documentation on how to create Logic Apps that work with Sentinel:
- Tutorial on creating Playbooks with Logic Apps: Use playbooks with automation rules in Microsoft Sentinel.
- Microsoft Sentinel connector reference: Azure Sentinel connector.
Follow-Up Questions
To give you more tailored advice, here are a few questions:
- What type of alerts are you trying to forward (e.g., security alerts, incident alerts)?
- Do you have existing Logic Apps configured for other purposes in your Azure environment?
- Are there any specific requirements or constraints related to the data being forwarded (e.g., format, size)?
- Have you already set up Managed Identities or Service Principals for your Logic Apps?
I hope this helps you get started with your alert forwarding setup! If you have any more specific questions or need further details, feel free to ask. Good luck!
References
- Multiple Microsoft Sentinel workspaces in the Defender portal
- Monitor run status, review trigger history, and set up alerts for Azure Logic Apps
- Set up monitoring alerts
Feel free to check out these links for more information!
Note: This content was drafted with the help of an AI system.
-
Madhan R 0 Reputation points
2025-12-04T05:49:27.0866667+00:00 "Alerts generated in the secondary workspace don’t automatically carry over to the primary workspace. You'll need to build your Logic App to handle that transfer"
Can you give me a detailed workflow for the logic app to this fuctionality?? @Sridevi Machavarapu
-
Sridevi Machavarapu 7,610 Reputation points Microsoft External Staff Moderator
2025-12-04T06:13:03.16+00:00 Hi Madhan R,
You can forward incidents from the secondary workspace using a Sentinel playbook (Logic App).
Create a Logic App (Consumption) and add the trigger “When a response to an Azure Sentinel incident is triggered”, pointing it to the secondary workspace. Add Get incident, Get incident alerts (and optionally Get incident entities) actions. Use a Compose step to build a JSON payload with key fields like incident number, title, severity, status, timestamps, and alerts.
Then use Azure Log Analytics Data Collector – Send Data with the primary workspace ID and key, and a custom log name such as
ForwardedSentinelIncidents. This createsForwardedSentinelIncidents_CLin the primary workspace.In the secondary workspace, create an Automation rule with:
- When incident is created
- Run playbook → select this Logic App
If you also want Sentinel incidents in the primary workspace, create a Scheduled analytics rule on
ForwardedSentinelIncidents_CL, enable Create incidents, and map the custom fields.
Sign in to comment
Sign in to answer