Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

What’s New: Cross-workspace Analytics Rules

Azure Sentinel News Editor by Azure Sentinel News Editor
November 26, 2020
in SOC
0
New Recorded Future and Microsoft Azure Partnership Brings Security Intelligence to Cloud Environments
3.1kViews
594 Shares Share on Facebook Share on Twitter

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

Today we are announcing a new feature in Azure Sentinel that enhances our multi-workspace and multi-tenant capabilities.

As you might know, there are certain occasions where your Azure Sentinel environment is spread across multiple workspaces. There are various reasons for this, like data ownership requirements or multi-tenant/multi-geography setups. For a full explanation of use cases and alternatives, refer to Extend Sentinel across workspaces/tenants.

In these cases, there’s normally the need to have a central place where we can oversee the whole environment. This can be for example a global SOC or in the case of an MSSP, a multi-customer console. This central place can be also used to replicate configuration (analytics rules, workbooks, playbooks,…) and manage all your workspace from a single point, ideally using DevOps processes and tooling. The following diagram describes this setup:

Up to now, customers and partners were able to do many things across workspaces, like hunting, workbooks and incident management.


Today we are happy to present the ability to create Analytics Rules that inspect data stored across multiple workspaces! :smile:

With this new feature you can now create in your Central SOC, an analytics rule that spans across other workspaces, like shown in this picture:

This can also be used in a multi-tenant setup (using Azure Lighthouse) like shown here:

There are some things you need to consider when using this feature:

  • Both the source and target workspaces need to have the Sentinel solution installed on them.
  • You can include a maximum of 10 workspaces in each detection.
  • Incidents and alerts raised by a cross-workspace analytics rule, will only be created in the workspace where the rule was defined (they will not show up in the “remote” workspaces)

Handling Entities

One of the great things about this feature, is that alerts and incidents created as part of a cross-workspace analytics rule, will also contain all the related entities, even if those entities are not from the workspace where the rule and incident where triggered. 

This, for example, will allow analysts to analyze data from all workspaces related to an alert/incident.  

Some other features are still not fully functional in the cross-workspace scenario, like full visual investigation or UEBA. These will come in the future.

When to use cross-workspace Analytics Rules

There are mainly two scenarios where customer and partners can benefit from this new feature:

  • When the analytics rule needs to consider data stored in multiple workspaces.
  • To protect the Intellectual Property created as part of an analytics rule (MSSP scenario described later in this article)

There are other scenarios where customers and partners should not use cross-workspace rules:

  • When the same rule applies to multiple individual workspaces, but data should not be considered together. As explained above, some Sentinel features will not fully function in a cross-workspace scenario and in addition it would make it more difficult to discern which workspace is the alert coming from.

Creating a cross-workspace Analytic Rule

Creating a cross-workspace rule is very easy…the only thing that changes compared to a regular rule is the query itself. In order to span multiple workspaces, you need to include the workspace and union KQL statements, adding tables from other workspaces as needed (remember the limit is 10). For example, a query to find EventID 4625 in two workspaces, would look like this:

workspace('<workspace-A>').SecurityEvent

| union workspace('<workspace-B>').SecurityEvent

| where EventID == '4625'

Remember that you can also leverage KQL functions to create aliases, that make it easier for you to use multiple workspaces. For example, you could create a function named wsAB_SecurityEvent that contains:

workspace('<workspace-A>').SecurityEvent

| union workspace('<workspace-B>').SecurityEvent

After defining this function, you can just use it in your analytics rules like this:

wsAB_SecurityEvent

| where EventID == '4625'

MSSP considerations

This new feature has special relevance for MSSPs as they normally manage multiple Sentinel environments spread across multiple organizations and tenants.

One of the reasons to use this feature is for example when the MSSP needs to hide the contents of the query from the end customer. In that case, the MSSP can create the query in its own tenant and Sentinel workspace but point at the customer workspace. See more information about protecting MSSPs intellectual property in this blog post.

The recommended approach for this scenario is to create analytics rules that only contain workspaces from a single customer (see diagram below). Mixing customer workspaces into a single analytics rule can lead to confusion and poor manageability.

The analytics rules in this case would contain a KQL query that doesn’t need the union statement, they would be as simple as this:

workspace('customerA_workspace').SecurityEvent
| where EventID == '4625'

Get started today!

We encourage you to leverage this new feature that enhances our cross-workspace capabilities and offers more flexibility in the way you organize your SOC.

Try it out, and let us know what you think!

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cross-workspace-analytics-rules/ba-p/1664211

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Next Post
Microsoft is quietly becoming a cybersecurity powerhouse

What’s new: Azure DDoS Protection connector in Public Preview for Azure Sentinel

What’s new: Microsoft Teams connector in Public Preview

What’s new: Microsoft Teams connector in Public Preview

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to integrate vulnerability management in Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

4 months ago
Microsoft is quietly becoming a cybersecurity powerhouse

How to setup a Canarytoken and receive incident alerts on Azure Sentinel

3 months ago
odix joins MISA program and integrates its FileWall with Microsoft Azure Sentinel

odix joins MISA program and integrates its FileWall with Microsoft Azure Sentinel

4 months ago
New analytics to help Azure-based Sentinel identify threats

Azure Sentinel Workbooks 101 (with sample Workbook)

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News