Azure Sentinel MSP - Non-Scheduled Alert Queries

Question

What is the best approach to take to pull alerts/incidents from non-scheduled rule queries, such as Azure AD Identity Protection) into the MSSP Tenant?

Should it be done by using cross-workspace queries to create a custom query that pulls in events from the SecurityAlert table with the rule frequency being near real-time to mimic the events coming in from particular connectors? Or is there an easier, built-in method?

javier-soriano · Answer

HI Leo, why do you need to bring alerts/incidents from the customer tenant to the MSSP tenant?Just trying to understand before I answer

leo_szalk · Answer

Hi Javier,Looking to stay aligned with best practices and protect intellectual property for some custom content.Based on this:https://docs.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property

javier-soriano · Answer

Yes, but protecting intellectual property only makes sense for scheduled rules, For non-scheduled rules, there's really no IP to protect, right?

The best practices is to ONLY use cross-ws analytics rules when there's a need to protect IP.

Regards

leo_szalk · Answer

Right, right. Sorry should have clarified a bit more.Was mainly looking for a way to centralize all of the alerts in single console for our SOC, without them having to jump back and forth between the consoles to see the non-scheduled rules. But as I was thinking about it, I totally forgot about the Cross Workspace incidents page.Appreciate the input 🙂Cheers

javier-soriano · Answer

No problem. Also, if you at some point have to go over the 10 workspaces limit that we support in the cross-ws incident view, you can always use this workbook as the central management pane: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SentinelCentral.json

Forum Discussion

Azure Sentinel MSP - Non-Scheduled Alert Queries

5 Replies

Resources