This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
To take full advantage of Azure Sentinel’s capabilities, Microsoft recommends using a single-workspace environment. However, there are some use cases that require having several workspaces, in some cases – for example, that of a Managed Security Service Provider (MSSP) and its customers – across multiple tenants. If you are an MSSP who’s managing multiple customers or a customer with multiple workspaces, you are most likely facing a challenge managing security across all these environments. To help alleviate the challenge and provide a centralized pane, we are delighted to announce that the Cross Workspace Incident View is now in public preview.
This feature is designed to provide a single pane view of incidents across several workspaces in one incidents page and provides the ability to investigate them as if you were connected to the original environment.
How to use?
- From the portal, navigate to Azure Sentinel
- From the workspace selector page, you can now select several workspaces and click the “Multiple Sentinel Incidents”
Note: Multiple Workspace View currently supports a maximum of 10 concurrently displayed workspaces
You will then be navigated to a new pane that will provide you a centralized place to consume incidents across several workspaces.
- The counters at the top of the page – Open incidents, New incidents, In progress, etc. – show the numbers for all of the selected workspaces collectively.
- You’ll see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular Incidents screen.
- You’ll need to have read and write permissions on all the workspaces from which you’ve selected incidents. If you have only read permissions on some workspaces, you’ll see warning messages if you select incidents in those workspaces. You won’t be able to modify those incidents or any others you’ve selected together with those (even if you do have permissions for the others).
- If you choose a single incident and click View full details or Investigate, you will from then on be in the data context of that incident’s workspace and no others.