Forum Discussion
Azure Sentinel Multi tenant/MSSP Playbooks
AdamJones . We are new to Sentinel and would like to implement the MSSP model shared resources model. I would like to know how a shared resources model authentication can be implemented.
For example, i have my customer A, B and C and the subscription are being managed by customers. As an MSSP we want to provide a shared resources service model. Question here is as the subscription are being managed by customer how can our resources authenticate to the Azure sentinel of these customer. If this is a dedicated resource no doubt that we will allocate the resources and split them as L1,L2 and L3 group and provide the RBAC AZure Sentinel access. But when it comes to shared resource model there can be pool of "N" number of resources who may monitor the console as these are not dedicated resource but are shared and how we can plan the authentication of the resources.
It integrates with Azure Sentinel really well.
- Good night, Thijs Lecomte
I have a scenario that maybe you can help me with.
I'm managing some clients with MSSP service and we're validating the integration via lighthouse.
The point we made is that we don't want to create a rule for every customer, but rather an X rule that is useful for all customers.
Being more detailed, I manage X clients with Sentinel environments, and on both clients, I have the 'Linux Authentication Failures' rule, which follows the identical logic of the KQL query. What I want to know is if there's any way I don't need to create a rule in every Sentinel environment for every customer. That is, if I need to create a 'windows authentication failure' rule, which I don't need to create on each client.
How could I do this through the resources that lighthouse offers me?
Would the solution be to create a rule in my Sentinel tenant and use the "union" command for each customer? If so, wouldn't that bring a lot of performance cost in the survey if there are many customers? Is there another better way?
I will be grateful for the response.- Totally missed this one apologies...
I would recommend to look into Sentinel as code and push the rules to the environments through DevOps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploying-and-managing-microsoft-sentinel-as-code/ba-p/1131928 - You would typically have one rule per customer, either in your MSSP tenant or per customer workspace. As described in the playbook, if you make rules querying across customer workspaces it can be difficult to know which customer/environment the alerts comes from. And not really scalable.
- Hi, light house will help me out if i provide the list of resources name in the ARM template my question over here is as a shared resources i might be having 20 resources who will monitor the azure sentinel for various customer as part of shared srrvice. 1 resource might be providing service to multiple customers. Now i cannot request customer to create these 20 resources in their Azure AD. So what woild be the work around for this
- Javier-Soriano
Microsoft
pavankemi please watch this webinar as a first step: Azure Sentinel webinar: MSSP and Distributed Organization Support - YouTube
let us know if you have further questions after watching
Javier-Soriano We are trying to do something similar as AdamJones. We have Lighthouse setup to manage our clients workspaces and have some Playbooks we would like consistent across our workspaces, such as being able to send email alerts from an incident.
We have noticed that we can attach playbooks that are created under other organizations but we cannot attach any playbooks that are within the MSSP tenant, they just don't appear in the list. We do have the subscription selected, that should not be the issue there.
The only explanation I can think of is that we have to onboard ourselves into Lighthouse, if that is even possible.
Any insight here would be helpful.
Thanks,
Mike
