Azure Sentinel MSP - Non-Scheduled Alert Queries

Occasional Contributor

What is the best approach to take to pull alerts/incidents from non-scheduled rule queries, such as Azure AD Identity Protection) into the MSSP Tenant?

Should it be done by using cross-workspace queries to create a custom query that pulls in events from the SecurityAlert table with the rule frequency being near real-time to mimic the events coming in from particular connectors? Or is there an easier, built-in method?

5 Replies
HI Leo, why do you need to bring alerts/incidents from the customer tenant to the MSSP tenant?

Just trying to understand before I answer
Hi Javier,

Looking to stay aligned with best practices and protect intellectual property for some custom content.

Based on this:
https://docs.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
Yes, but protecting intellectual property only makes sense for scheduled rules, For non-scheduled rules, there's really no IP to protect, right?

The best practices is to ONLY use cross-ws analytics rules when there's a need to protect IP.

Regards
Right, right. Sorry should have clarified a bit more.

Was mainly looking for a way to centralize all of the alerts in single console for our SOC, without them having to jump back and forth between the consoles to see the non-scheduled rules. But as I was thinking about it, I totally forgot about the Cross Workspace incidents page.

Appreciate the input :)

Cheers



No problem. Also, if you at some point have to go over the 10 workspaces limit that we support in the cross-ws incident view, you can always use this workbook as the central management pane: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SentinelCentral.json