Blog Post

Microsoft Sentinel Blog
2 MIN READ

What's New: Cross Workspace Incident View in Public Preview!

Cristhofer Munoz's avatar
May 11, 2020

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

To take full advantage of Azure Sentinel’s capabilities, Microsoft recommends using a single-workspace environment. However, there are some use cases that require having several workspaces, in some cases – for example, that of a Managed Security Service Provider (MSSP) and its customers – across multiple tenants. If you are an MSSP who's managing multiple customers or a customer with multiple workspaces, you are most likely facing a challenge managing security across all these environments. To help alleviate the challenge and provide a centralized pane, we are delighted to announce that the Cross Workspace Incident View is now in public preview.

 

This feature is designed to provide a single pane view of incidents across several workspaces in one incidents page and provides the ability to investigate them as if you were connected to the original environment. 

 

How to use?

 

  1. From the portal, navigate to Azure Sentinel 
  2. From the workspace selector pageyou can now select several workspaces and click the Multiple Sentinel Incidents 

 

 

Note: Multiple Workspace View currently supports a maximum of 10 concurrently displayed workspaces 

 

You will then be navigated to a new pane that will provide you a centralized place to consume incidents across several workspaces. 

 

 

  • The counters at the top of the page - Open incidents, New incidents, In progress, etc. - show the numbers for all of the selected workspaces collectively.

 

  • You'll see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular Incidents screen.

 

  • You'll need to have read and write permissions on all the workspaces from which you've selected incidents. If you have only read permissions on some workspaces, you'll see warning messages if you select incidents in those workspaces. You won't be able to modify those incidents or any others you've selected together with those (even if you do have permissions for the others).

 

  • If you choose a single incident and click View full details or Investigate, you will from then on be in the data context of that incident's workspace and no others.

 

Get started today!

 

We encourage you to use the new Cross Workspace Incident View feature to obtain a single pane view of incidents across several workspaces.

 

For additional information, please refer to the  Cross Workspace Incidents View public documentation.

Try it out, and let us know what you think!

 

Updated Jul 05, 2020
Version 5.0
  • Dennis de Roo's avatar
    Dennis de Roo
    Copper Contributor

    Dev_ChoudharyIt's not necessary to have your own workspace as MSSP. However you need to have access to those workspaces from your customers.

  • Great news, I really love it , especially due to COVID-19 we are facing situation where more people need our help and in past it was like switch from this account to other account or switch profile.

  • Dev_Choudhary's avatar
    Dev_Choudhary
    Brass Contributor

    Does MSSP also need to have their own workspace ? or without having any workspace they will be able to manage their customer workspace?