Defender for Cloud - MSSP Usability

%3CLINGO-SUB%20id%3D%22lingo-sub-3009197%22%20slang%3D%22en-US%22%3EDefender%20for%20Cloud%20-%20MSSP%20Usability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3009197%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20looking%20at%20the%20complete%20XDR%20remit%20from%20the%20view%20point%20of%20an%20MSSP.%26nbsp%3B%20For%20the%20various%20portal%20access%20we%20are%20using%20connected%20organisations.%3C%2FP%3E%3CP%3EWhen%20we%20come%20to%20Defender%20for%20Cloud%2C%20how%20do%20we%20as%20an%20MSSP%20with%20no%20direct%20access%20to%20a%20customer's%20tenant%20(using%20lighthouse%20for%20Sentinel%20access)%20manage%20that%20for%20them%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

Currently looking at the complete XDR remit from the view point of an MSSP.  For the various portal access we are using connected organisations.

When we come to Defender for Cloud, how do we as an MSSP with no direct access to a customer's tenant (using lighthouse for Sentinel access) manage that for them?

 

Regards,

 

Tim

1 Reply
You might be able to use Log Analytics data export, to push the data round.

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal

Or manually change the workspace ID and keys to match Log Analytics workspaces that you own across all subscriptions, but Lighthouse is definitely the supported way.