Merge pull request #288658 from cwatson-cat/10-17-24-workspaces-az

Jill Grant · web-flow · commit eaaf0ef61d63 · 2024-10-17T16:13:14.000-06:00
Sentinel workspaces articles - upd for Defender
diff --git a/articles/sentinel/extend-sentinel-across-workspaces-tenants.md b/articles/sentinel/extend-sentinel-across-workspaces-tenants.md
@@ -3,9 +3,9 @@ title: Extend Microsoft Sentinel across workspaces and tenants
 description: How to use Microsoft Sentinel to query and analyze data across workspaces and tenants.
 author: yelevin
 ms.topic: how-to
-ms.date: 06/28/2023
+ms.date: 10/17/2024
 ms.author: yelevin
-
+appliesto: Microsoft Sentinel in the Azure portal
 
 #Customer intent: As a security analyst, I want to query data across multiple workspaces and tenants so that I can centralize incident management and enhance threat detection capabilities.
 
@@ -15,6 +15,8 @@ ms.author: yelevin
 
 When you onboard Microsoft Sentinel, your first step is to select your Log Analytics workspace. While you can get the full benefit of the Microsoft Sentinel experience with a single workspace, in some cases, you might want to extend your workspace to query and analyze your data across workspaces and tenants. For more information, see [Design a Log Analytics workspace architecture](/azure/azure-monitor/logs/workspace-design) and [Prepare for multiple workspaces and tenants in Microsoft Sentinel](prepare-multiple-workspaces.md).
 
+If you onboard Microsoft Sentinel to the Microsoft Defender portal, see [Microsoft Defender multitenant management](/defender-xdr/mto-overview).
+
 ## Manage incidents on multiple workspaces
 
 Microsoft Sentinel supports a [multiple workspace incident view](./multiple-workspace-view.md) where you can centrally manage and monitor incidents across multiple workspaces. The centralized incident view lets you manage incidents directly or drill down transparently to the incident details in the context of the originating workspace.
diff --git a/articles/sentinel/multiple-workspace-view.md b/articles/sentinel/multiple-workspace-view.md
@@ -3,9 +3,9 @@ title: Work with Microsoft Sentinel incidents in many workspaces at once | Micro
 description: How to view incidents in multiple workspaces concurrently in Microsoft Sentinel.
 author: yelevin
 ms.topic: conceptual
-ms.date: 01/11/2022
+ms.date: 10/17/2024
 ms.author: yelevin
-
+appliesto: Microsoft Sentinel in the Azure portal
 
 #Customer intent: As a security analyst, I want to manage and investigate incidents across multiple workspaces and tenants so that I can maintain comprehensive visibility and control over my organization's security posture.
 
@@ -17,15 +17,17 @@ ms.author: yelevin
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+If you onboard Microsoft Sentinel to the Microsoft Defender portal, see [Microsoft Defender multitenant management](/defender-xdr/mto-overview).
+
 ## Entering multiple workspace view
 
-When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. To the left of each workspace name is a checkbox. Selecting the name of a single workspace will bring you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the **View incidents** button at the top of the page.
+When you open Microsoft Sentinel, you're presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. Selecting the name of a single workspace brings you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the **View incidents** button at the top of the page.
 
 > [!IMPORTANT]
 > Multiple Workspace View now supports a maximum of 100 concurrently displayed workspaces.
 >
 
-Note that in the list of workspaces, you can see the directory, subscription, location, and resource group associated with each workspace. The directory corresponds to the tenant.
+In the list of workspaces, you can see the directory, subscription, location, and resource group associated with each workspace. The directory corresponds to the tenant.
 
 :::image type="content" source="./media/multiple-workspace-view/workspaces.png" alt-text="Screenshot of selecting multiple workspaces.":::
 
@@ -38,11 +40,11 @@ Multiple workspace view is currently available only for incidents. This page loo
 
 - The counters at the top of the page - *Open incidents*, *New incidents*, *Active incidents*, etc. - show the numbers for all of the selected workspaces collectively.
 
-- You'll see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular **Incidents** screen.
+- You see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular **Incidents** screen.
 
-- You'll need to have read and write permissions on all the workspaces from which you've selected incidents. If you have only read permissions on some workspaces, you'll see warning messages if you select incidents in those workspaces. You won't be able to modify those incidents or any others you've selected together with those (even if you do have permissions for the others).
+- You need to have read and write permissions on all the workspaces from which you've selected incidents. If you have only read permissions on some workspaces, you see warning messages if you select incidents in those workspaces. You aren't able to modify those incidents or any others you've selected together with those (even if you do have permissions for the others).
 
-- If you choose a single incident and click **View full details** or **Actions** > **Investigate**, you will from then on be in the data context of that incident's workspace and no others.
+- If you choose a single incident and select **View full details** or **Actions** > **Investigate**, you'll from then on be in the data context of that incident's workspace and no others.
 
 ## Next steps
 
diff --git a/articles/sentinel/use-multiple-workspaces.md b/articles/sentinel/use-multiple-workspaces.md
@@ -3,9 +3,9 @@ title: Set up multiple workspaces and tenants in Microsoft Sentinel
 description: If you've defined that your environment needs multiple workspaces, you now set up your multiple workspace architecture in Microsoft Sentinel.
 author: cwatson-cat
 ms.topic: how-to
-ms.date: 07/05/2023
+ms.date: 10/17/2024
 ms.author: cwatson
-
+appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
 
 #Customer intent: As a security architect, I want to use Microsoft Sentinel across multiple workspaces so that I can efficiently monitor and analyze security data across my entire organization.
 
@@ -19,10 +19,17 @@ In this article, you learn how to set up Microsoft Sentinel to extend across mul
 
 ## Options for using multiple workspaces
 
-If you've determined and set up your environment to extend across workspaces, you can: 
+After you set up your environment to extend across workspaces, you can: 
+
+- **Manage and monitor your cross-workspace architecture**: Query and analyze your data across workspaces and tenants. 
+  - To work in the Azure portal, see [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md).
+  - If your organization onboards Microsoft Sentinel to the Microsoft Defender portal, see [Microsoft Defender multitenant management](/defender-xdr/mto-overview).
+
+For Microsoft Sentinel in the Azure portal, you can:
+
+- **Manage multiple workspaces with workspace manager**: Centrally manage multiple workspaces within one or more Azure tenants. For more information, see [Centrally manage multiple Microsoft Sentinel workspaces with workspace manager](workspace-manager.md).
 
-- [Manage and monitor cross-workspace architecture](extend-sentinel-across-workspaces-tenants.md): Query and analyze your data across workspaces and tenants.
-- [Manage multiple workspaces with workspace manager](workspace-manager.md): Centrally manage multiple workspaces within one or more Azure tenants.
+Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. For more information, see [Microsoft Defender multitenant management](/defender-xdr/mto-overview).
 
 ## Next steps
 
diff --git a/articles/sentinel/workspace-manager.md b/articles/sentinel/workspace-manager.md
@@ -4,8 +4,9 @@ description: Learn how to centrally manage multiple Microsoft Sentinel workspace
 author: austinmccollum
 ms.author: austinmc
 ms.topic: how-to
-ms.date: 04/24/2023
+ms.date: 10/17/2024
 ms.custom: template-how-to
+appliesto: Microsoft Sentinel in the Azure portal
 
 
 #Customer intent: As a Managed Security Services Provider (MSSP) or global enterprise, I want to centrally manage multiple security workspaces so that I can efficiently operate at scale across one or more Azure tenants.
@@ -27,6 +28,7 @@ Here are the active content types supported with workspace manager:
 > Support for workspace manager is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
 
+If you onboard Microsoft Sentinel to the Microsoft Defender portal, see [Microsoft Defender multitenant management](/defender-xdr/mto-overview).
 
 ## Prerequisites
 
