Apr 26 2024 06:17 AM
Hi all,
Example scenario is that an MSSP accesses a clients Microsoft Sentinel instance via Azure Lighthouse for management, however, this customer also has lets say 3 further regions which will have Microsoft Sentinel deployed into them & they're not feeding into the main instance due to networking costs.
How would they gain the relevant permissions (Log Analytics Reader / Contributor) to create cross workspace queries against the additional 3 Sentinel instances for said client from the main instance they currently manage? Would an Azure Lighthouse connection between the core tenant of the MSSP and the additional Sentinel instances, with just the required role, allow them to then action cross workspace queries within the clients central instance they already have access within?
Thanks,
Apr 27 2024 01:35 AM