Merge pull request #177707 from JnHs/jh-lh-sentinelupdates

expand topic

Author: Court72

articles/lighthouse/how-to/manage-sentinel-workspaces.md

@@ -1,7 +1,7 @@
 ---
 title: Manage Azure Sentinel workspaces at scale
 description: Azure Lighthouse helps you effectively manage Azure Sentinel across delegated customer resources.
-ms.date: 08/16/2021
+ms.date: 11/05/2021
 ms.topic: how-to
 ---
 
@@ -16,11 +16,14 @@ This topic provides an overview of how to use [Azure Sentinel](../../sentinel/ov
 > [!TIP]
 > Though we refer to service providers and customers in this topic, this guidance also applies to [enterprises using Azure Lighthouse to manage multiple tenants](../concepts/enterprise.md).
 
+> [!NOTE]
+> You can manage delegated resources that are located in different [regions](../../availability-zones/az-overview.md#regions). However, delegation of subscriptions across a [national cloud](../../active-directory/develop/authentication-national-cloud.md) and the Azure public cloud, or across two separate national clouds, isn't supported.
+
 ## Architectural considerations
 
 For a managed security service provider (MSSP) who wants to build a Security-as-a-service offering using Azure Sentinel, a single security operations center (SOC) may be needed to centrally monitor, manage, and configure multiple Azure Sentinel workspaces deployed within individual customer tenants. Similarly, enterprises with multiple Azure AD tenants may want to centrally manage multiple Azure Sentinel workspaces deployed across their tenants.
 
-This centralized model of deployment has the following advantages:
+This model of deployment has the following advantages:
 
 - Ownership of data remains with each managed tenant.
 - Supports requirements to store data within geographical boundaries.
@@ -30,12 +33,13 @@ This centralized model of deployment has the following advantages:
 - Data from all data sources and data connectors that are integrated with Azure Sentinel (such as Azure AD Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) will remain within each customer tenant.
 - Reduces network latency.
 - Easy to add or remove new subsidiaries or customers.
-
-> [!NOTE]
-> You can manage delegated resources that are located in different [regions](../../availability-zones/az-overview.md#regions). However, delegation of subscriptions across a [national cloud](../../active-directory/develop/authentication-national-cloud.md) and the Azure public cloud, or across two separate national clouds, isn't supported.
+- Able to use a multi-workspace view when working through Azure Lighthouse.
+- To protect your intellectual property, you can use playbooks and workbooks to work across tenants without sharing code directly with customers. Only analytic and hunting rules will need to be saved directly in each customer's tenant.
 
 > [!IMPORTANT]
-> If all workspaces are created in customer tenants, the Microsoft.SecurityInsights & Microsoft.OperationalInsights resource provider must also be [registered](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) on a subscription in the managing tenant.
+> If all workspaces are created in customer tenants, the Microsoft.SecurityInsights & Microsoft.OperationalInsights resource providers must also be [registered](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) on a subscription in the managing tenant.
+
+An alternate deployment model is to create one Azure Sentinel workspace in the managing tenant. In this model, Azure Lighthouse enables log collection from data sources across managed tenants. However, there are some data sources that can't be connected across tenants, such as Microsoft Defender. Because of this limitation, this model is not suitable for many service provider scenarios.
 
 ## Granular Azure role-based access control (Azure RBAC)
 
@@ -66,7 +70,7 @@ If you are managing Azure Sentinel resources for multiple customers, you can vie
 
 [Azure Monitor Workbooks in Azure Sentinel](../../sentinel/overview.md#workbooks) help you visualize and monitor data from your connected data sources to gain insights. You can use the built-in workbook templates in Azure Sentinel, or create custom workbooks for your scenarios.
 
-You can deploy workbooks in your managing tenant and create at-scale dashboards to monitor and query data across customer tenants. For more information, see [Cross-workspace monitoring](../../sentinel/extend-sentinel-across-workspaces-tenants.md#using-cross-workspace-workbooks). 
+You can deploy workbooks in your managing tenant and create at-scale dashboards to monitor and query data across customer tenants. For more information, see [Cross-workspace monitoring](../../sentinel/extend-sentinel-across-workspaces-tenants.md#using-cross-workspace-workbooks).
 
 You can also deploy workbooks directly in an individual tenant that you manage for scenarios specific to that customer.
 
@@ -86,6 +90,12 @@ You can enable the [Microsoft Cloud App Security (MCAS) connector](../../sentine
 
 After setting up Office 365 data connectors, you can use cross-tenant Azure Sentinel capabilities such as viewing and analyzing the data in workbooks, using queries to create custom alerts, and configuring playbooks to respond to threats.
 
+## Protect intellectual property
+
+When working with customers, you may want to protect the intellectual property you've developed in Azure Sentinel, such as Azure Sentinel analytics rules, hunting queries, playbooks, and workbooks. There are different methods you can use to ensure that customers don't have complete access to the code used in these resources.
+
+For more information, see [Protecting MSSP intellectual property in Azure Sentinel](../../sentinel/mssp-protect-intellectual-property.md).
+
 ## Next steps
 
 - Learn about [Azure Sentinel](../../sentinel/overview.md).