Forum Discussion
Azure Sentinel MSP - Non-Scheduled Alert Queries
What is the best approach to take to pull alerts/incidents from non-scheduled rule queries, such as Azure AD Identity Protection) into the MSSP Tenant? Should it be done by using cross-workspace q...
Javier-Soriano
Microsoft
MicrosoftHI Leo, why do you need to bring alerts/incidents from the customer tenant to the MSSP tenant?
Just trying to understand before I answer
Just trying to understand before I answer
Hi Javier,
Looking to stay aligned with best practices and protect intellectual property for some custom content.
Based on this:
https://docs.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
Looking to stay aligned with best practices and protect intellectual property for some custom content.
Based on this:
https://docs.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
- Javier-SorianoYes, but protecting intellectual property only makes sense for scheduled rules, For non-scheduled rules, there's really no IP to protect, right?
The best practices is to ONLY use cross-ws analytics rules when there's a need to protect IP.
Regards- Right, right. Sorry should have clarified a bit more.
Was mainly looking for a way to centralize all of the alerts in single console for our SOC, without them having to jump back and forth between the consoles to see the non-scheduled rules. But as I was thinking about it, I totally forgot about the Cross Workspace incidents page.
Appreciate the input 🙂
Cheers- Javier-SorianoNo problem. Also, if you at some point have to go over the 10 workspaces limit that we support in the cross-ws incident view, you can always use this workbook as the central management pane: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SentinelCentral.json
