Azure Sentinel

Multi-tenancy and
MSSP support
https://aka.ms/SentinelNinjaTraining
Azure: tenants, subscriptions, workspace etc.

The Sentinel workspace

Multi-workspace best practices

MSSP specific: IP Protection, Billing

Azure Basics
Regions and geos

• Any Azure region, supporting LA

with some exceptions, can be
used
• Most, but not all, data at rest
stays in region
• Some data may go to EU West
(EU), US East (Elsewhere)
The Workspace



Multi-Workspace best practices
Sovereignty & regulatory compliance • Yes

Data ownership • Yes

Multiple Azure tenants • Yes

Granular data access control • Try using resource RBAC or table level RBAC

Granular retention settings • Try using table level retention settings or automate data deletion

Split billing • Try using reporting and cross-charging

Legacy architecture • Re-architect workspaces

Customer / Customer / Customer /
Subsidiary Subsidiary Subsidiary
Tenant Tenant Tenant
Advantages:
• Flexible Global/MSSP and subsidiary/customer
role management
• No data ownership & data privacy challenges
• Minimize network latency & charges
• Easy onboarding and offboarding

But how do you do?

• Central monitoring
• Central deployment and configuration
• IP protection
Implementing Azure Sentinel across multiple
workspace
 #1: Consolidate workspaces

#2: Work across workspaces

#3: Automate deployment and configuration across workspaces

#4: Use Azure Lighthouse to extend to workspaces across tenants

#5: (optional) Integrate with a ticketing system

#1: Consolidate workspaces
Agent multi-homing
other Azure sources
Lean how to modify ASC default workspace to a central workspace
#1c: Use resource RBAC

SOC team None SOC team

Permissions To the workspace To specific resources

All the data in the Only data for resources the

Data access
workspace team is authorized to access

Azure Sentinel experience

(possibly limited by the Query (“Logs”) and Workbooks
Experience
functional permissions the only
user has)
 Azure Arc
set the Resource ID in the API Call
per table retention setting
#2: Use Azure Sentinel across workspaces
 can span multiple workspaces

workspace('contoso/contosoretail/contosoretail-it’).SecurityEvent | union workspace(‘contosoretail-

nl’).SecurityEvent, workspace(…) …. | where ….

cwsSecurityEvent | where ….
here
#3: Automate multi-workspace deployment
and configuration
#3a: Automate deployment and management
Use API, ARM or PowerShell to deploy Azure Sentinel across workspaces:
#3b: Operationalize Azure Sentinel using CI/CD

GitHub

Azure DevOps

Azure Pipelines

Azure Azure Azure

Sentinel Sentinel Sentinel
#4: Use Lighthouse to cross tenant boundaries
#4: Implement Azure Lighthouse
#5: Integrate with your ticketing systems
Intellectual Property protection for MSSPs
CSP (Cloud Solution Provider)
Traditional reselling
Partner pays for the subscription and invoices the
customer
Customer with an EA (Enterprise agreement) may
prefer using the EA contract
DPOR/CPOR (Digital/Claiming
partner of record)
Spiffs
Partners can qualify for competencies and incentives
Complementary to charging on your service
here