What’s New: Cross Workspace Incident View in Public Preview!

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

To take full advantage of Azure Sentinel’s capabilities, Microsoft recommends using a single-workspace environment. However, there are some use cases that require having several workspaces, in some cases – for example, that of a Managed Security Service Provider (MSSP) and its customers – across multiple tenants. If you are an MSSP who's managing multiple customers or a customer with multiple workspaces, you are most likely facing a challenge managing security across all these environments. To help alleviate the challenge and provide a centralized pane, we are delighted to announce that the Cross Workspace Incident View is now in public preview.

 

This feature is designed to provide a single pane view of incidents across several workspaces in one incidents page and provides the ability to investigate them as if you were connected to the original environment. 

 

How to use?

 

  1. From the portal, navigate to Azure Sentinel 
  2. From the workspace selector pageyou can now select several workspaces and click the Multiple Sentinel Incidents 

 

CrossWS.gif

 

Note: Multiple Workspace View currently supports a maximum of 10 concurrently displayed workspaces 

 

You will then be navigated to a new pane that will provide you a centralized place to consume incidents across several workspaces. 

 

CrossWS2.gif

 

  • The counters at the top of the page - Open incidents, New incidents, In progress, etc. - show the numbers for all of the selected workspaces collectively.

 

  • You'll see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular Incidents screen.

 

  • You'll need to have read and write permissions on all the workspaces from which you've selected incidents. If you have only read permissions on some workspaces, you'll see warning messages if you select incidents in those workspaces. You won't be able to modify those incidents or any others you've selected together with those (even if you do have permissions for the others).

 

  • If you choose a single incident and click View full details or Investigate, you will from then on be in the data context of that incident's workspace and no others.

 

Get started today!

 

We encourage you to use the new Cross Workspace Incident View feature to obtain a single pane view of incidents across several workspaces.

 

For additional information, please refer to the  Cross Workspace Incidents View public documentation.

Try it out, and let us know what you think!

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.