Make Microsoft Sentinel do the hard work
By leveraging the newly released Sentinel Workspace Manager
Overview
Workspace manager is a new exciting tool created by Microsoft, enabling engineering teams to manage and deploy their content to multiple sentinel instances. Anyone who works for an MSSP will know deploying content manually to one workspace at a time is a massive task, with this new tool you are able to automate this deployment of content such as; Analytical Rules, Automation rules (excluding playbooks), Parsers, saved searches, functions, workbooks, hunting and livestream queries with ease.
Approaches to Architect Workspace Manager
There are many different ways you can architect the deployment of workspace manager across your environment and below is a couple of examples on the different approaches:
(Source: “https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager”)
When configuring the workspace manager you will always need the overall “Parent(s)” sentinel workspace which will contain all of your content that will be deployed to your “child“ sentinel workspaces. The parent workspace can also act as a final testing ground to check if any of your content, such as Analytical Rules, trigger too many false positives before they are deployed to customers workspaces.
Using Workspace Manager
Within workspace manager you need to add your child workspaces that you would like to deploy content to, for MSSP, you will need to add a workspace every time a new customers workspace is linked up with lighthouse.
Once the workspaces are added you can move over to the “groups” section, this is where you configure what content is pushed to which “child” workspace. This could be split up to one group for Analytical Rules, one group for workbooks, one group for Automation rules and so on. Or you could split the groups down further such as multiple groups for analytical rules which is split per log source, this means for MSSPs if you have a customer with an IIS log source, you can just add the new customers workspace to the IIS analytical rules group and then the rules will deploy into their workspace for this log source.
Once groups have been defined and workspaces have been added you are then able to “publish” the content to their workspaces. The content will be deployed in a state that mirrors the “Parent” workspace, if a rule is disabled in the “Parent” workspace it will be disabled in the “child” workspace.
Final Thoughts
This would have to be the one of the newest features that I have looked forward to for a while, bringing in automation into the one platform. There are tools that could be used to automate this before, such as CI/CD and terraform. However, this is making the deployment of content for MSSPs as simple as possible, which I am all for.
Let me know your thoughts!