You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/extend-sentinel-across-workspaces-tenants.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,10 +86,10 @@ You can then write a query across both workspaces by beginning with `unionSecuri
86
86
<!-- Bookmark added for backward compatibility with old heading -->
87
87
You can now include cross-workspace queries in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse), suitable for MSSPs. This use is subject to the following limitations:
88
88
89
-
- You can include **up to 20 workspaces** in a single query. However, for good performance, we recommend keeping it under 5.
89
+
- You can include **up to 20 workspaces** in a single query. However, for good performance, we recommend including no more than 5.
90
90
-- You must deploy Microsoft Sentinel **on every workspace** referenced in the query.
91
91
- Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist **only in the workspace where the rule was defined**. The alerts won't be displayed in any of the other workspaces referenced in the query.
92
-
- A cross-workspace analytics rule will continue running even if the user who created the rule loses access to workspaces referenced in the rule's query.
92
+
- A cross-workspace analytics rule, like any analytics rule, will continue running even if the user who created the rule loses access to workspaces referenced in the rule's query.
93
93
94
94
Alerts and incidents created by cross-workspace analytics rules contain all the related entities, including those from all the referenced workspaces and the "home" workspace (where the rule was defined). This way, analysts get a full picture of alerts and incidents.
95
95
@@ -137,3 +137,4 @@ In this article, you learned how Microsoft Sentinel's capabilities can be extend
137
137
- Learn how to [work with multiple tenants](./multiple-tenants-service-providers.md) in Microsoft Sentinel, using Azure Lighthouse.
138
138
- Learn how to [view and manage incidents in multiple workspaces](./multiple-workspace-view.md) seamlessly.
0 commit comments