Blog Post

Microsoft Sentinel Blog
4 MIN READ

What’s New: Cross-workspace Analytics Rules

Javier-Soriano's avatar
Javier-Soriano
Icon for Microsoft rankMicrosoft
Sep 14, 2020

(Updated Feb 9th 2021)

 

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

Today we are announcing a new feature in Azure Sentinel that enhances our multi-workspace and multi-tenant capabilities.

 

As you might know, there are certain occasions where your Azure Sentinel environment is spread across multiple workspaces. There are various reasons for this, like data ownership requirements or multi-tenant/multi-geography setups. For a full explanation of use cases and alternatives, refer to Extend Sentinel across workspaces/tenants.

 

In these cases, there’s normally the need to have a central place where we can oversee the whole environment. This can be for example a global SOC or in the case of an MSSP, a multi-customer console. This central place can be also used to replicate configuration (analytics rules, workbooks, playbooks,…) and manage all your workspace from a single point, ideally using DevOps processes and tooling. The following diagram describes this setup:

 

 

Up to now, customers and partners were able to do many things across workspaces, like hunting, workbooks and incident management.


Today we are happy to present the ability to create Analytics Rules that inspect data stored across multiple workspaces! :smile:

 

With this new feature you can now create in your Central SOC, an analytics rule that spans across other workspaces, like shown in this picture:

 

 

This can also be used in a multi-tenant setup (using Azure Lighthouse) like shown here:

 

 

There are some things you need to consider when using this feature:

 

  • Both the source and target workspaces need to have the Sentinel solution installed on them.

 

  • You can include a maximum of 20 workspaces in each detection.

 

  • Incidents and alerts raised by a cross-workspace analytics rule, will only be created in the workspace where the rule was defined (they will not show up in the “remote” workspaces)

 

Handling Entities

One of the great things about this feature, is that alerts and incidents created as part of a cross-workspace analytics rule, will also contain all the related entities, even if those entities are not from the workspace where the rule and incident where triggered. 

 

This, for example, will allow analysts to analyze data from all workspaces related to an alert/incident.  

Some other features are still not fully functional in the cross-workspace scenario, like full visual investigation or UEBA. These will come in the future.

 

When to use cross-workspace Analytics Rules

There are mainly two scenarios where customer and partners can benefit from this new feature:

 

  • When the analytics rule needs to consider data stored in multiple workspaces.

 

  • To protect the Intellectual Property created as part of an analytics rule (MSSP scenario described later in this article)

There are other scenarios where customers and partners should not use cross-workspace rules:

 

  • When the same rule applies to multiple individual workspaces, but data should not be considered together. As explained above, some Sentinel features will not fully function in a cross-workspace scenario and in addition it would make it more difficult to discern which workspace is the alert coming from.

 

Creating a cross-workspace Analytic Rule

Creating a cross-workspace rule is very easy…the only thing that changes compared to a regular rule is the query itself. In order to span multiple workspaces, you need to include the workspace and union KQL statements, adding tables from other workspaces as needed (remember the limit is 10). For example, a query to find EventID 4625 in two workspaces, would look like this:

 

 

 

 

 

 

workspace('<workspace-A>').SecurityEvent

| union workspace('<workspace-B>').SecurityEvent

| where EventID == '4625'

 

 

 

 

 

 

Remember that you can also leverage KQL functions to create aliases, that make it easier for you to use multiple workspaces. For example, you could create a function named wsAB_SecurityEvent that contains:

 

 

 

 

 

 

workspace('<workspace-A>').SecurityEvent

| union workspace('<workspace-B>').SecurityEvent

 

 

 

 

 

 

After defining this function, you can just use it in your analytics rules like this:

 

 

 

 

 

 

wsAB_SecurityEvent

| where EventID == '4625'

 

 

 

 

 

MSSP considerations

This new feature has special relevance for MSSPs as they normally manage multiple Sentinel environments spread across multiple organizations and tenants.

 

One of the reasons to use this feature is for example when the MSSP needs to hide the contents of the query from the end customer. In that case, the MSSP can create the query in its own tenant and Sentinel workspace but point at the customer workspace. See more information about protecting MSSPs intellectual property in this blog post.

 

The recommended approach for this scenario is to create analytics rules that only contain workspaces from a single customer (see diagram below). Mixing customer workspaces into a single analytics rule can lead to confusion and poor manageability.

 

 

The analytics rules in this case would contain a KQL query that doesn’t need the union statement, they would be as simple as this:

 

 

 

 

 

 

workspace('customerA_workspace').SecurityEvent
| where EventID == '4625'

 

 

 

 

 

Get started today!

 

We encourage you to leverage this new feature that enhances our cross-workspace capabilities and offers more flexibility in the way you organize your SOC.

 

Try it out, and let us know what you think!

Updated Feb 09, 2021
Version 5.0
what's new

16 Comments

Show More
  • gregoval's avatar
    gregoval
    Copper Contributor
    Sep 24, 2020

    Hello.

    In an MSSP environment with many customers on-boarded to a central MSSP Tenant (using Lighthouse), instead of having different rules for every customer (your picture under MSSP considerations) in the central Tenant, maybe it would be better we have a single cross-workspace analytic rule for all the on-boarded customers in the central Tenant and in some point have the ability to "aggregate" the name of the customer or the customer's workspace name in the produced alert? As far i have seen and despite the fact that the query is cross-workspace, the produced alert includes only the workspace name where the analytic rule was created.

     

    I am thinking about a scenario where a SOC has already developed 50 use cases (analytic rules) in a central MSSP Tenant for one customer and in the near future 10 additional customers will be on-boarded to that Tenant through Lighthouse. So the SOC will need 50X10=500 different analytic rules in order to query all the customers' workspaces through a single Tenant

     

    Regards,

  • ElYusubov's avatar
    ElYusubov
    MVP
    Sep 16, 2020

    Thank you Javier-Soriano  for delivering this important feature!
    Is there any new features that will be annonced suring Microsoft Ignite next week?

  • Javier-Soriano's avatar
    Javier-Soriano
    Icon for Microsoft rankMicrosoft
    Sep 16, 2020

    Good catch Mark-Resnik . The limit is 10 right now. Remember that you don't want to create a rule that is spanning more than 1 customer. That would make management very complex. 

     

    Regards

  • Mark-Resnik's avatar
    Mark-Resnik
    Copper Contributor
    Sep 16, 2020

    Thanks good article, and a long awaited feature.  In one place it says "You can include a maximum of 10 workspaces in each detection."    And in another section it says "(remember the limit is 15)".   Which is it?    And is that a temporary limit that is likely to be increased soon?  A typical MSSP wouldn't want to be capped at 10-15 customers..

     

    Thanks!