Cross Workspace Queries - Possible in a central Sentinel instance you use Lighthouse to access?

keenanbrooks · ‎Apr 26 2024

Hi all,

Example scenario is that an MSSP accesses a clients Microsoft Sentinel instance via Azure Lighthouse for management, however, this customer also has lets say 3 further regions which will have Microsoft Sentinel deployed into them & they're not feeding into the main instance due to networking costs.

How would they gain the relevant permissions (Log Analytics Reader / Contributor) to create cross workspace queries against the additional 3 Sentinel instances for said client from the main instance they currently manage? Would an Azure Lighthouse connection between the core tenant of the MSSP and the additional Sentinel instances, with just the required role, allow them to then action cross workspace queries within the clients central instance they already have access within?

Thanks,

Clive_Watson · ‎Apr 27 2024

Personally I'd treat all 3 extra instances as standalone and manage them in the same way you do the first Sentinel (I'm no fan of cross workspace apart from reporting, certainly not for Analytics). It would really depend on the MSSP and what they require / and support.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Cross Workspace Queries - Possible in a central Sentinel instance you use Lighthouse to access?

Cross Workspace Queries - Possible in a central Sentinel instance you use Lighthouse to access?

Re: Cross Workspace Queries - Possible in a central Sentinel instance you use Lighthouse to access?