Azure Sentinel MSP - Non-Scheduled Alert Queries

%3CLINGO-SUB%20id%3D%22lingo-sub-2445102%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20MSP%20-%20Non-Scheduled%20Alert%20Queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2445102%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20best%20approach%20to%20take%20to%20pull%20alerts%2Fincidents%20from%20non-scheduled%20rule%20queries%2C%20such%20as%20Azure%20AD%20Identity%20Protection)%20into%20the%20MSSP%20Tenant%3F%3CBR%20%2F%3E%3CBR%20%2F%3EShould%20it%20be%20done%20by%20using%20cross-workspace%20queries%20to%20create%20a%20custom%20query%20that%20pulls%20in%20events%20from%20the%20SecurityAlert%20table%20with%20the%20rule%20frequency%20being%20near%20real-time%20to%20mimic%20the%20events%20coming%20in%20from%20particular%20connectors%3F%20Or%20is%20there%20an%20easier%2C%20built-in%20method%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2448709%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20MSP%20-%20Non-Scheduled%20Alert%20Queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2448709%22%20slang%3D%22en-US%22%3EHI%20Leo%2C%20why%20do%20you%20need%20to%20bring%20alerts%2Fincidents%20from%20the%20customer%20tenant%20to%20the%20MSSP%20tenant%3F%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20trying%20to%20understand%20before%20I%20answer%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2448722%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20MSP%20-%20Non-Scheduled%20Alert%20Queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2448722%22%20slang%3D%22en-US%22%3EHi%20Javier%2C%3CBR%20%2F%3E%3CBR%20%2F%3ELooking%20to%20stay%20aligned%20with%20best%20practices%20and%20protect%20intellectual%20property%20for%20some%20custom%20content.%3CBR%20%2F%3E%3CBR%20%2F%3EBased%20on%20this%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fmssp-protect-intellectual-property%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fmssp-protect-intellectual-property%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

What is the best approach to take to pull alerts/incidents from non-scheduled rule queries, such as Azure AD Identity Protection) into the MSSP Tenant?

Should it be done by using cross-workspace queries to create a custom query that pulls in events from the SecurityAlert table with the rule frequency being near real-time to mimic the events coming in from particular connectors? Or is there an easier, built-in method?

5 Replies
HI Leo, why do you need to bring alerts/incidents from the customer tenant to the MSSP tenant?

Just trying to understand before I answer
Hi Javier,

Looking to stay aligned with best practices and protect intellectual property for some custom content.

Based on this:
https://docs.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
Yes, but protecting intellectual property only makes sense for scheduled rules, For non-scheduled rules, there's really no IP to protect, right?

The best practices is to ONLY use cross-ws analytics rules when there's a need to protect IP.

Regards
Right, right. Sorry should have clarified a bit more.

Was mainly looking for a way to centralize all of the alerts in single console for our SOC, without them having to jump back and forth between the consoles to see the non-scheduled rules. But as I was thinking about it, I totally forgot about the Cross Workspace incidents page.

Appreciate the input :)

Cheers



No problem. Also, if you at some point have to go over the 10 workspaces limit that we support in the cross-ws incident view, you can always use this workbook as the central management pane: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SentinelCentral.json