Sentinel POC- Architecture and Recommendations For MSSPs (Part 6)

 





To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here




Cross-Workspace

Since, artifacts can exist on both MSSP and customer workspaces, it is easier to keep the ones having intellectual property within MSSP workspace only. The following options shows how can they be used to access customers' data:
  • Multiple workspace incident view- This view is available as soon as the customers delegate access using Azure Lighthouse or if there are multiple workspaces within the tenant.

  • Cross workspace querying- Multiple workspaces can be queried through the Logs blade using the workspace() expression and the union operator.

  • Cross workspace analytic rules- Partners can create analytic rules that include up to 20 workspaces in the query. Most analytic rules run on the customer's workspace, but this option is for cases where a cross workspace analytic rule is needed. 

  • Cross workspace workbooks- There are various Content hub solutions that include workbooks that can query data across workspaces and partners can also create their own. For example, the Incident Overview workbook and the Microsoft Sentinel Cost workbook that allow partners to view this data across their customers' workspaces, as long as they have access. 

  • Cross workspace hunting- It is same as querying through the Logs blade, partners can also save those queries to hunt later.

Other Resources

A list of links is included to help partners that are ramping up with Microsoft Sentinel, which is -  https://aka.ms/SentinelLinks. However, this list is constantly updated and include all sorts of information including training links to the various Ninja trainings, and other additional links on more advanced subjects, such as UEBA, Fusion, SOAR automation, etc.







To read part 1, please click here
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here

























Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)