Skip to content

Commit faccdc9

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #231348 from yelevin/docs-editor/extend-sentinel-across-workspa-1679320204
Update extend-sentinel-across-workspaces-tenants.md
2 parents 292d27e + 7ee0c38 commit faccdc9

File tree

1 file changed

+7
-4
lines changed

1 file changed

+7
-4
lines changed

articles/sentinel/extend-sentinel-across-workspaces-tenants.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -84,12 +84,13 @@ You can then write a query across both workspaces by beginning with `unionSecuri
8484

8585
#### Cross-workspace analytics rules<a name="scheduled-alerts"></a>
8686
<!-- Bookmark added for backward compatibility with old heading -->
87-
You can now include cross-workspace queries in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse), suitable for MSSPs. Note these limitations:
87+
You can now include cross-workspace queries in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse), suitable for MSSPs. This use is subject to the following limitations:
8888

89-
- You can include **up to 20 workspaces** in a single query. For good performance though, we recommend keeping it under 5.
90-
- You must deploy Microsoft Sentinel **on every workspace** referenced in the query.
89+
- You can include **up to 20 workspaces** in a single query. However, for good performance, we recommend including no more than 5.
90+
- - You must deploy Microsoft Sentinel **on every workspace** referenced in the query.
9191
- Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist **only in the workspace where the rule was defined**. The alerts won't be displayed in any of the other workspaces referenced in the query.
92-
92+
- A cross-workspace analytics rule, like any analytics rule, will continue running even if the user who created the rule loses access to workspaces referenced in the rule's query.
93+
9394
Alerts and incidents created by cross-workspace analytics rules contain all the related entities, including those from all the referenced workspaces and the "home" workspace (where the rule was defined). This way, analysts get a full picture of alerts and incidents.
9495

9596
> [!NOTE]
@@ -135,3 +136,5 @@ In this article, you learned how Microsoft Sentinel's capabilities can be extend
135136

136137
- Learn how to [work with multiple tenants](./multiple-tenants-service-providers.md) in Microsoft Sentinel, using Azure Lighthouse.
137138
- Learn how to [view and manage incidents in multiple workspaces](./multiple-workspace-view.md) seamlessly.
139+
140+

0 commit comments

Comments
 (0)