After several months working with partners and customers around Microsoft Sentinel, there has been a very frequent ask about multi-tenant and multi-workspace management. Obviously, as a partner, you would like to see a consolidated view of your customers environments, instead of having to deal with many different dashboards. The same happens if you have to manage a Sentinel environment that consists of multiple workspaces. How do I get an aggregated view of all my data that is spread across workspaces and/or tenants?
In this post we are going to explain how you can create multi-workspace (or multi-tenant) workbooks so you have the ability to have a single pane of glass for all your workspaces whether they are within the same tenant or not.
Onboarding your customers into Azure Lighthouse
This step only applies if you have a multi-tenant environment, whether this is because of your organization complexity or because you are an MSSP managing multiple customers. We are not going to cover how to onboard a new customer into Lighthouse, but you can readherehow to do that. You can also refer tothis other articlepublished in the Sentinel blog about the Sentinel-Lighthouse integration.
Once your other tenants (or customers) have been onboarded, you will have visibility over all the workspaces across tenants and can now perform queries across them.
Microsoft Sentinel Workbooks
As you probably know, Sentinel already offers a fantastic way to visualize the date in your workspace: Workbooks. These provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal.
There are many workbooks that come out of the box when you install Sentinel, but they were created to work with data coming from a single Log Analytics workspace, so we will need to modify them to adapt to our multi-tenant or multi-workspace scenario.
Modifying the workbook
Let’s grab one of the existing workbooks, for example Azure AD Sign-in logs. If you still haven’t saved the template, you will have to click theSavebutton as shown here (you will be asked to choose a location for the saved workbook):
Now that it has been saved, click onView saved workbook. Now you’re seeing the workbook and can start editing clicking theEditbutton on the top left:
Now we are going to add a new parameter that will server as our workspace (or customer) selector. Click onEditunder the first row with the pill shaped drop downs as shown here:
Click onAdd Parameterand fill out the different fields as follows:
As you can see, we are creating a new parameter calledWorkspacethat will be of typeResource picker(a list of Azure resources to pick from). The way to populate this list, is via anAzure Resource Graph Query. This is what we specify in theGet data fromsection. The key here is the query itself:
resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' | project id = tostring(properties.workspaceResourceId)
This query returns a list of workspace IDs where theSecurityInsights(Sentinel) solution is installed, so we only see workspaces that are Sentinel enabled. Although the returned values are IDs, we see them with friendly names in the portal thanks to an automatic renderer built into Resource Graph .
Scrolling down in the sameEdit Parameterwindow, you will also find a section calledInclude in the drop down. CheckAllso we are shown with all available workspaces with Sentinel solution installed.
After having created the parameter we have to modify each single query or visualization in the workbook to use our newly created parameter instead of a hardcoded workspace. We will continue with our example and edit the first visualization in the workbook, the one organized in tiles for the different sign-in results (Success, Failed, Pending user action, etc.). Just clickEditin its bottom right side. You will be presented with the query itself and some other options. Click at the top where it saysQuery (change):
And then click on the Log Analytics workspace dropdown and select our previously created parameter (Workspace).
Repeat the last steps for all the visualizations in your workbook that use Log Analytics queries and you’re done! You will now be able to select one or more workspaces in your workspace dropdown at the top:
Whenever you update the workspace selection, you will see that all the different visualizations automatically update to reflect your workspace selection, whether they are in the same tenant or coming from different tenants .