![]() You can use saved functions to simplify cross-workspace queries. Use the union operator alongside the workspace() expression to apply a query across tables in multiple workspaces. Use the workspace() expression to refer to a table in a different workspace. You can query multiple workspaces, allowing you to search and correlate data from multiple workspaces in a single query. The centralized incident view lets you manage incidents directly or drill down transparently to the incident details in the context of the originating workspace. Microsoft Sentinel supports a multiple workspace incident view where you can centrally manage and monitor incidents across multiple workspaces. ![]() In the following sections, we'll explain how to operate this model, and particularly how to:Ĭentrally monitor multiple workspaces, potentially across tenants, providing the SOC with a single pane of glass.Ĭentrally configure and manage multiple workspaces, potentially across tenants, using automation.Ĭross-workspace monitoring Manage incidents on multiple workspaces This model offers significant advantages over a fully centralized model in which all data is copied to a single workspace:įlexible role assignment to the global and local SOCs, or to the MSSP its customers.įewer challenges regarding data ownerships, data privacy and regulatory compliance.Įasy onboarding and offboarding of new subsidiaries or customers. This diagram shows an example architecture for such use cases. To address these cases, Microsoft Sentinel offers multiple-workspace capabilities that enable central monitoring, configuration, and management, providing a single pane of glass across everything covered by the SOC. Microsoft Sentinel multiple workspace architectureĪs implied by the requirements above, there are cases where a single SOC needs to centrally manage and monitor multiple Microsoft Sentinel workspaces, potentially across Azure Active Directory (Azure AD) tenants.Ī global SOC serving multiple subsidiaries, each having its own local SOC.Ī SOC monitoring multiple Azure AD tenants within an organization. The MSSP can use Azure Lighthouse to extend Microsoft Sentinel cross-workspace capabilities across tenants. In case of an MSSP, many if not all of the above requirements apply, making multiple workspaces, across tenants, the best practice.
0 Comments
Leave a Reply. |