Forum Discussion
Azure Sentinel Multi tenant/MSSP Playbooks
Hi, Just to add some background before I ask the question. We have about 8 customers that we have deployed a CSP Subscription and put Sentinel on. We have then used Lighthouse to grant us acc...
You need to check out Lighthouse. It provides easy access to the resources of your customers.
It integrates with Azure Sentinel really well.
It integrates with Azure Sentinel really well.
Good night, Thijs Lecomte
I have a scenario that maybe you can help me with.
I'm managing some clients with MSSP service and we're validating the integration via lighthouse.
The point we made is that we don't want to create a rule for every customer, but rather an X rule that is useful for all customers.
Being more detailed, I manage X clients with Sentinel environments, and on both clients, I have the 'Linux Authentication Failures' rule, which follows the identical logic of the KQL query. What I want to know is if there's any way I don't need to create a rule in every Sentinel environment for every customer. That is, if I need to create a 'windows authentication failure' rule, which I don't need to create on each client.
How could I do this through the resources that lighthouse offers me?
Would the solution be to create a rule in my Sentinel tenant and use the "union" command for each customer? If so, wouldn't that bring a lot of performance cost in the survey if there are many customers? Is there another better way?
I will be grateful for the response.
I have a scenario that maybe you can help me with.
I'm managing some clients with MSSP service and we're validating the integration via lighthouse.
The point we made is that we don't want to create a rule for every customer, but rather an X rule that is useful for all customers.
Being more detailed, I manage X clients with Sentinel environments, and on both clients, I have the 'Linux Authentication Failures' rule, which follows the identical logic of the KQL query. What I want to know is if there's any way I don't need to create a rule in every Sentinel environment for every customer. That is, if I need to create a 'windows authentication failure' rule, which I don't need to create on each client.
How could I do this through the resources that lighthouse offers me?
Would the solution be to create a rule in my Sentinel tenant and use the "union" command for each customer? If so, wouldn't that bring a lot of performance cost in the survey if there are many customers? Is there another better way?
I will be grateful for the response.
- Totally missed this one apologies...
I would recommend to look into Sentinel as code and push the rules to the environments through DevOps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploying-and-managing-microsoft-sentinel-as-code/ba-p/1131928 - You would typically have one rule per customer, either in your MSSP tenant or per customer workspace. As described in the playbook, if you make rules querying across customer workspaces it can be difficult to know which customer/environment the alerts comes from. And not really scalable.
