You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/workspace-manager.md
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ ms.custom: template-how-to
10
10
11
11
# Centrally manage multiple Microsoft Sentinel workspaces with Workspace Manager
12
12
13
-
Learn how to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants with Workspace Manager. This article takes you through provisioning and usage of Workspace Manager to help you gain operational efficiency and operate at scale whether you're a global enterprise or a Managed Security Services Provider (MSSP).
13
+
Learn how to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants with Workspace Manager. This article takes you through provisioning and usage of Workspace Manager. Whether you're a global enterprise or a Managed Security Services Provider (MSSP), Workspace Manager helps you gain operational efficiency and operate at scale.
14
14
15
15
Here are the active content types supported with Workspace Manager:
16
16
- Analytics rules
@@ -22,27 +22,27 @@ Here are the active content types supported with Workspace Manager:
22
22
## Prerequisites
23
23
24
24
- A central Microsoft Sentinel Workspace and at least one member Microsoft Sentinel Workspace to be managed.
25
-
- The Microsoft Sentinel Contributor role assignment is required on the central workspace (ie. where Workspace Manager is enabled on), and on the member workspace(s) the user needs to manage. Learn more about roles in Microsoft Sentinel.
26
-
-If you are managing workspaces across multiple Azure AD tenants, you will need to enable Azure Lighthouse.
25
+
- The Microsoft Sentinel Contributor role assignment is required on the central workspace (where Workspace Manager is enabled on), and on the member workspace(s) the user needs to manage. Learn more about roles in Microsoft Sentinel.
26
+
-Enable Azure Lighthouse if you're' managing workspaces across multiple Azure AD tenants.
27
27
28
28
29
29
## Considerations
30
-
The central workspace will be the environment where you consolidate content items and configurations to be published at scale to multiple member workspaces. You can create a new Microsoft Sentinel workspace or utilize an existing Microsoft Sentinel workspace to serve as the central workspace.
30
+
Configure a central workspace to be the environment where you consolidate content items and configurations to be published at scale to member workspaces. Create a new Microsoft Sentinel workspace or utilize an existing one to serve as the central workspace.
31
31
32
32
Depending on your scenario, consider these architectures:
33
-
- Direct-link: This is the simplest setup, where all member workspaces are controlled by only one central workspace
34
-
- Co-Management: This supports scenarios where a member workspace needs to be managed by more than one central workspace (eg. workspaces simultaneously managed by an in-house SOC team and an MSSP)
35
-
- N-Tier: This supports complex scenarios where a central workspace controls another central workspace (eg. a conglomerate that manages multiple subsidiaries, where each subsidiary also manages multiple workspaces)
33
+
-**Direct-link**is the least complex setup. Control all member workspaces with only one central workspace.
34
+
-**Co-Management**supports scenarios where more than one central workspace needs to manage a member workspace. For example, workspaces simultaneously managed by an in-house SOC team and an MSSP.
35
+
-**N-Tier**supports complex scenarios where a central workspace controls another central workspace. For example, a conglomerate that manages multiple subsidiaries, where each subsidiary also manages multiple workspaces.
36
36
37
37
:::image type="content" source="media/workspace-manager/architectures.png" alt-text="A diagram showing various architecture choices for workspace manager in Microsoft Sentinel.":::
38
38
39
39
## Enable Workspace Manager on the central workspace
40
-
Once you have decided which Microsoft Sentinel workspace should be the Workspace Manager, this needs to be explicitly enabled.
40
+
Enable the central workspace once you have decided which Microsoft Sentinel workspace should be the Workspace Manager.
41
41
42
42
1. Navigate to the **Settings** blade in the Parent workspace, and toggle "On" the Workspace Manager configuration setting.
43
43
:::image type="content" source="media/workspace-manager/enable-workspace-manager.png" alt-text="A screenshot showing the Workspace manager configuration settings with the workspace parent toggle button highlighted.":::
44
44
45
-
1. Once enabled, you will notice a new blade **Workspace manager (preview)**appear on the left menu under **Configuration**.
45
+
1. Once enabled, a new blade **Workspace manager (preview)**appears on the left menu under **Configuration**.
46
46
:::image type="content" source="media/workspace-manager/enable-workspace-manager-enabled.png" alt-text="A screenshot showing the Workspace manager configuration settings with the new workspace manager menu section highlighted.":::
47
47
48
48
## Onboard member workspaces
@@ -51,7 +51,7 @@ Member workspaces are the set of workspaces that will be managed by Workspace Ma
51
51
:::image type="content" source="media/workspace-manager/add-workspace.png" alt-text="Screenshot shows the add workspace menu.":::
52
52
1. Select the member workspace(s) you would like to onboard to Workspace Manager.
53
53
:::image type="content" source="media/workspace-manager/add-workspace-select.png" alt-text="Screenshot shows the add workspace selection menu.":::
54
-
1. Once successfully onboarded, you will notice the **Members** count increase and your member workspaces will be reflected in the **Workspaces** tab.
54
+
1. Once successfully onboarded, the **Members** count increases and your member workspaces are reflected in the **Workspaces** tab.
55
55
:::image type="content" source="media/workspace-manager/add-workspace-selected.png" alt-text="Screenshot shows the added workspaces and the Members count incremented to 2.":::
56
56
57
57
## Create a Group
@@ -66,40 +66,40 @@ Groups allow you to organize workspaces together based on business groups, verti
66
66
1. In the **Create or update group** wizard, define a **Name** for the Group and optionally provide a Description as well.
67
67
:::image type="content" source="media/workspace-manager/add-group-name.png" alt-text="Screenshot shows the group create or update configuration page.":::
68
68
1. In the **Select workspaces** tab, click **Add** and select the member workspaces that you would like to add to the Group.
69
-
1. In the **Select content** tab you will have 2 ways to add content items.
69
+
1. In the **Select content** tab, you will have 2 ways to add content items.
70
70
- Method 1: **Snapshot of all content** currently deployed in the central workspace. This point-in-time snapshot selects only active content, not templates.
71
71
- Method 2: **Custom select** which content items should be added.
72
72
:::image type="content" source="media/workspace-manager/add-group-content.png" alt-text="Screenshot shows the group content selection.":::
73
-
1. Once successfully created, you will notice the **Group count increase** and your Group will be reflected in the **Groups tab**.
73
+
1. Once successfully created, the **Group count**increases and your Groups are reflected in the **Groups tab**.
74
74
75
75
## Publish the Group definition
76
-
At this point, the content items selected have not been published to the member workspace(s) yet.
76
+
At this point, the content items selected haven't been published to the member workspace(s) yet.
77
77
78
-
1.To do so, click**Publish content** in the right flyout.
78
+
1.Click**Publish content** in the right flyout.
79
79
:::image type="content" source="media/workspace-manager/publish-group.png" alt-text="Screenshot shows the group publish window.":::
80
80
Alternatively, to bulk Publish multiple Groups, multi-select the desired Groups and click on Publish.
81
81
:::image type="content" source="media/workspace-manager/publish-groups.png" alt-text="Screenshot shows the multi-select group publishing window.":::
82
-
1. The **Last publish status** column will update to reflect **In progress**.
82
+
1. The **Last publish status** column updates to reflect **In progress**.
83
83
:::image type="content" source="media/workspace-manager/publish-groups-inprogress.png" alt-text="Screenshot shows the multi group publishing progress column.":::
84
-
1. If successful, the **Last publish status**will update to reflect **Succeeded**. The selected content items now exist in the member workspaces.
84
+
1. If successful, the **Last publish status**updates to reflect **Succeeded**. The selected content items now exist in the member workspaces.
85
85
:::image type="content" source="media/workspace-manager/publish-groups-success.png" alt-text="Screenshot shows the last published column with entries that succeeded.":::
86
-
If unsuccessful, the **Last publish status**will update to reflect **Failed**.
86
+
If unsuccessful, the **Last publish status**updates to reflect **Failed**.
87
87
88
88
89
89
### Troubleshooting
90
-
To facilitate troubleshooting, you can click into the Failed hyperlink, this will open a Job failure details window. A status will be displayed for each content item and target workspace pair.
90
+
To facilitate troubleshooting, click the **Failed** hyperlink, to open the Job failure details window. A status for each content item and target workspace pair is displayed.
91
91
:::image type="content" source="media/workspace-manager/publish-groups-job-details.png" alt-text="Screenshot shows the job details of a group publishing failure event.":::
92
92
93
93
Common reasons for failure include:
94
94
- Content items referenced in the Group definition no longer exist at the time of Publish (have been deleted).
95
-
- Permissions have changed at the time of Publish (the user is no longer a Microsoft Sentinel Contributor or does not have sufficient permissions on the member workspace anymore).
95
+
- Permissions have changed at the time of Publish. For example, the user is no longer a Microsoft Sentinel Contributor or doesn't have sufficient permissions on the member workspace anymore.
96
96
- A member workspace has been deleted.
97
97
98
98
### Known limitations
99
99
- Playbooks attributed or attached to Analytics and Automation rules are not currently supported.
100
-
- Workbooks stored in bring-your-own-storage are not currently supported.
101
-
- Workspace Manager only manages content items published from the central workspace. It does not manage content created locally from member workspace(s).
102
-
- Currently, deleting content residing in member workspace(s) centrally via Workspace Manager is not supported.
100
+
- Workbooks stored in bring-your-own-storage aren't currently supported.
101
+
- Workspace Manager only manages content items published from the central workspace. It doesn't manage content created locally from member workspace(s).
102
+
- Currently, deleting content residing in member workspace(s) centrally via Workspace Manager isn't supported.
0 commit comments