Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you onboard Microsoft Sentinel, your first step is to select your Log Analytics workspace. While you can get the full benefit of the Microsoft Sentinel experience with a single workspace, in some cases, you might want to extend your workspace to query and analyze your data across workspaces and tenants. For more information, see Design a Log Analytics workspace architecture and Prepare for multiple workspaces and tenants in Microsoft Sentinel.
If you onboard Microsoft Sentinel to the Microsoft Defender portal, see:
- Multiple Microsoft Sentinel workspaces in the Defender portal
- Microsoft Defender multitenant management
Manage incidents on multiple workspaces
In the Azure and Defender portals, the incidents view allows you to centrally manage and monitor incidents across multiple workspaces or filter the view by workspace. Manage incidents directly or drill down transparently to the incident details in the context of the originating workspace.
If you're working in the Azure portal, see multiple workspace incident view. For the Defender portal, see Multiple Microsoft Sentinel workspaces in the Defender portal.
Query multiple workspaces
Query multiple workspaces to search and correlate data from multiple workspaces in a single query.
- Use the - workspace( )expression, with the workspace identifier as the argument, to refer to a table in a different workspace. Use explicit identifier formats to ensure best performance. For more information, see Identifier formats for cross workspace queries.
- Use the union operator alongside the - workspace( )expression to apply a query across tables in multiple workspaces.
- Use saved functions to simplify cross-workspace queries. For example, you can shorten a long reference to the SecurityEvent table in Customer A's workspace by saving the expression: - workspace("/subscriptions/<customerA_subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.OperationalInsights/workspaces/<workspaceName>").SecurityEvent- as a function called - SecurityEventCustomerA. You can then query Customer A's SecurityEvent table with this function:- SecurityEventCustomerA | where ....
- A function can also simplify a commonly used union. For example, you can save the following expression as a function called - unionSecurityEvent:- union workspace("/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.OperationalInsights/workspaces/<workspaceName1>").SecurityEvent, workspace("/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.OperationalInsights/workspaces/<workspaceName2>").SecurityEvent- Then, write a query across both workspaces by beginning with - unionSecurityEvent | where ....
Cross-workspace queries for Log Analytics data remain subject to Log Analytics considerations.
Include cross-workspace queries in scheduled analytics rules
You can include cross-workspace queries in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse), suitable for MSSPs. This use is subject to the following limitations:
- You can include up to 20 workspaces in a single query. However, for good performance, we recommend including no more than 5.
- You must deploy Microsoft Sentinel on every workspace referenced in the query.
- Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist only in the workspace where the rule was defined. The alerts won't be displayed in any of the other workspaces referenced in the query.
- A cross-workspace analytics rule, like any analytics rule, will continue running even if the user who created the rule loses access to workspaces referenced in the rule's query. The only exception to this is in the case of workspaces in different subscriptions and/or tenants than the analytics rule.
Alerts and incidents created by cross-workspace analytics rules contain all the related entities, including those from all the referenced workspaces and the "home" workspace (where the rule was defined). This way, analysts get a full picture of alerts and incidents.
Note
Querying multiple workspaces in the same query might affect performance, and therefore is recommended only when the logic requires this functionality.
Use cross-workspace workbooks
Workbooks provide dashboards and apps to Microsoft Sentinel. When working with multiple workspaces, workbooks provide monitoring and actions across workspaces.
Workbooks can provide cross-workspace queries in one of three methods, suitable for different levels of end-user expertise:
| Method | Description | When should I use? | 
|---|---|---|
| Write cross-workspace queries | The workbook creator can write cross-workspace queries (described above) in the workbook. | I want the workbook creator to create a workspace structure that is transparent to the user. | 
| Add a workspace selector to the workbook | The workbook creator can implement a workspace selector as part of the workbook. | I want to allow the user to control the workspaces shown by the workbook, with an easy-to-use dropdown box. | 
| Edit the workbook interactively | An advanced user modifying an existing workbook can edit the queries in it, selecting the target workspaces using the workspace selector in the editor. | I want to allow a power user to easily modify existing workbooks to work with multiple workspaces. | 
Hunt across multiple workspaces
Microsoft Sentinel provides preloaded query samples designed to get you started and get you familiar with the tables and the query language. Microsoft security researchers constantly add new built-in queries and fine-tune existing queries. You can use these queries to look for new detections and identify signs of intrusion that your security tools might have missed.
Cross-workspace hunting capabilities enable your threat hunters to create new hunting queries, or adapt existing ones, to cover multiple workspaces, by using the union operator and the workspace() expression as shown above.
Manage multiple workspaces using automation
To configure and manage multiple Log Analytics workspaces enabled for Microsoft Sentinel, you need to automate the use of the Microsoft Sentinel management API.
- Learn how to automate the deployment of Microsoft Sentinel resources, including alert rules, hunting queries, workbooks, and playbooks.
- Learn how to deploy custom content from your repository. This resource provides a consolidated methodology for managing Microsoft Sentinel as code and for deploying and configuring resources from a private Azure DevOps or GitHub repository.
Manage workspaces across tenants
In many scenarios, the different Log Analytics workspaces enabled for Microsoft Sentinels can be located in different Microsoft Entra tenants. You can use Azure Lighthouse to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on workspaces across all tenants.
Once Azure Lighthouse is onboarded, use the directory + subscription selector on the Azure portal to select all the subscriptions containing workspaces you want to manage, in order to ensure that they'll all be available in the different workspace selectors in the portal.
When using Azure Lighthouse, it's recommended to create a group for each Microsoft Sentinel role and delegate permissions from each tenant to those groups.
If you're using the Defender portal, multitenant management for Microsoft Defender XDR and Microsoft Sentinel provides your security operation teams with a single, unified view of all the tenants you manage. For more information, see Microsoft Defender multitenant management.
Related content
For Microsoft Sentinel in the Azure portal, see:
- Manage multiple tenants in Microsoft Sentinel as an MSSP by using Azure Lighthouse
- Work with incidents in many workspaces at once in the Azure portal
For Microsoft Sentinel in the Defender portal, see: