Feb 05 2021 05:51 PM
Feb 05 2021 05:51 PM
Just to add some background before I ask the question.
We have about 8 customers that we have deployed a CSP Subscription and put Sentinel on. We have then used Lighthouse to grant us access. This has been working great and no real problems as we can centrally run queries, see incidents and hunt etc.
We are currently having to create multiple copies of the same playbook for each customer and putting it on their CSP subscription because we simply cannot get it to run when it exists on our "Master" subscription. How do we go around creating a single playbook that will work no matter the customer/subscription? I assume this is possible and before we start adding any more customers we thought we would check.
For example we have a Playbook that isolates a host using Defender ATP. Works great when deployed direct to the customer's subscription and it executes without issue.
Feb 07 2021 11:40 PM
I work at an MSSP aswell, using Sentinel to protect our customers.
You can assign Playbooks that live in our own tenant, to alerts in a customers tenant. You just need to make sure that your users have Logic App Contributor on the Logic Apps in your own tenant. This way, when they go to Setinel from a customer, they should see your own Logic Apps.
You need to watchout for Authentication however. If you want to use one master image, you need to create a multi tenant app registration which has permissions to isolate devices in the tenants of all your customers.
Does this answer your questions?
Feb 11 2021 12:18 AM
@AdamJones . We are new to Sentinel and would like to implement the MSSP model shared resources model. I would like to know how a shared resources model authentication can be implemented.
For example, i have my customer A, B and C and the subscription are being managed by customers. As an MSSP we want to provide a shared resources service model. Question here is as the subscription are being managed by customer how can our resources authenticate to the Azure sentinel of these customer. If this is a dedicated resource no doubt that we will allocate the resources and split them as L1,L2 and L3 group and provide the RBAC AZure Sentinel access. But when it comes to shared resource model there can be pool of "N" number of resources who may monitor the console as these are not dedicated resource but are shared and how we can plan the authentication of the resources.
Feb 11 2021 05:16 AM
Feb 11 2021 06:43 AM
Feb 11 2021 09:06 AM
@pavankemi please watch this webinar as a first step: Azure Sentinel webinar: MSSP and Distributed Organization Support - YouTube
let us know if you have further questions after watching
Feb 17 2021 07:59 AM
@Javier Soriano We are trying to do something similar as @AdamJones. We have Lighthouse setup to manage our clients workspaces and have some Playbooks we would like consistent across our workspaces, such as being able to send email alerts from an incident.
We have noticed that we can attach playbooks that are created under other organizations but we cannot attach any playbooks that are within the MSSP tenant, they just don't appear in the list. We do have the subscription selected, that should not be the issue there.
The only explanation I can think of is that we have to onboard ourselves into Lighthouse, if that is even possible.
Any insight here would be helpful.
Feb 17 2021 12:55 PM
@mperrotta you should be able to select a playbook in the MSSP tenant as an automatic response to an analytics rule created in the customer tenant. If you don't see those playbooks, it could be because you're lacking permissions to see the resource group where the playbooks are located or because you don't have a Logic App role granted in the MSSP tenant (or both!)