💻 Centralise, scale, and streamline your cybersecurity operations like never before with Microsoft Sentinel's workspace manager. 💻
🔥🔥🔥JUST ANNOUNCED!!!!🔥🔥🔥
💻 Centralise, scale, and streamline your cybersecurity operations like never before with Microsoft Sentinel's workspace manager. 💻
This article takes you through provisioning and usage of workspace manager. Whether you're a global enterprise or a Managed Security Services Provider (MSSP), workspace manager helps you operate at scale efficiently.
📃Key Features:
✔️Workspace manager is packed with powerful features designed to help you operate your security management at scale. With the ability to support active content types such as analytics rules, automation rules (excluding Playbooks), parsers, saved searches, functions, hunting, livestream queries, and workbooks, you can manage all your workspaces with unparalleled ease.
📃Prerequisites:
✔️To get started with workspace manager, you'll need at least two Microsoft Sentinel workspaces: one central workspace to manage from and at least one other workspace to be managed.
✔️Additionally, the Microsoft Sentinel Contributor role assignment is required for the central workspace and the member workspace(s) that the contributor needs to manage.
📃Cross-Tenant Management: Enable Azure Lighthouse to effortlessly manage Microsoft Sentinel workspaces at scale.
📃Workspace manager accommodates different scenarios by offering various architectures:
1️⃣ Direct-link: The simplest setup for controlling all member workspaces with one central workspace.
2️⃣ Co-Management: For situations requiring more than one central workspace to manage a member workspace (e.g., workspaces managed by both an in-house SOC team and an MSSP).
3️⃣ N-Tier: Ideal for complex scenarios involving multiple levels of control (e.g., a conglomerate managing multiple subsidiaries, where each subsidiary also manages multiple workspaces).
📃Enabling Workspace Manager:
✔️Choose which Microsoft Sentinel workspace should serve as the workspace manager and enable the central workspace by navigating to the Settings blade in the parent workspace. Toggle "On" the workspace manager configuration setting, and a new blade, Workspace manager (preview), will appear on the left menu under Configuration.
📃Limitations and Considerations:
✔️Playbooks attributed or attached to analytics and automation rules aren't currently supported.
✔️Workbooks stored in bring-your-own-storage aren't currently supported.
✔️Workspace manager only manages content items published from the central workspace. It doesn't manage content created locally from member workspace(s).
✔️Currently, deleting content residing in member workspace(s) centrally via workspace manager isn't supported.
Want to learn more?
Blog: Manage multiple Microsoft Sentinel workspaces with workspace manager | Microsoft Learn