Listen to this Post
Microsoft has announced public previews for its Unified SecOps Platform, introducing two key features:
- Multi-Workspace for Multi-Tenant – Read more here
- Multi-Workspace for Single Tenant – Read more here
These enhancements allow security teams to manage multiple workspaces across different tenants or within a single tenant, improving scalability and operational efficiency.
You Should Know:
1. Managing Multi-Tenant Security with Microsoft Sentinel
Microsoft Sentinel supports multi-tenant security operations through Lighthouse delegation. Below are key commands to configure cross-tenant access:
Connect to Azure (requires admin permissions) Connect-AzAccount Assign Sentinel roles to a remote tenant New-AzRoleAssignment -ObjectId <SecurityGroupObjectId> -RoleDefinitionName "Security Reader" -Scope "/subscriptions/<TargetSubscriptionId>"
For Linux-based log analysis in Sentinel, use Log Analytics KQL queries:
SecurityEvent | where EventID == 4625 // Failed logins | summarize FailedAttempts = count() by Account
2. Automating Multi-Workspace Deployment
Deploy Sentinel workspaces across tenants using Azure Bicep/ARM templates:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2021-06-01",
"name": "SecOps-Workspace",
"location": "eastus",
"properties": {
"sku": {
"name": "PerGB2018"
}
}
}
]
}
- Windows Event Forwarding (WEF) for Centralized Logs
Configure WEF to forward security logs to Sentinel:
Configure WEF on Windows Server wecutil qc /q winrm quickconfig
4. Linux Syslog Forwarding to Sentinel
For Linux systems, use rsyslog to forward logs:
Install rsyslog if not present sudo apt-get install rsyslog -y Configure Sentinel log forwarding echo ". @<LogAnalyticsWorkspaceID>.ods.opinsights.azure.com:25226" | sudo tee -a /etc/rsyslog.conf sudo systemctl restart rsyslog
What Undercode Say
Microsoft’s Unified SecOps Platform enhances cross-tenant visibility, making it easier for SOC teams to manage threats at scale. Key takeaways:
– Multi-tenant security requires proper Azure Lighthouse delegation.
– KQL queries in Sentinel help detect anomalies faster.
– Automation (Bicep/ARM) reduces deployment overhead.
– Linux/Windows log forwarding ensures comprehensive monitoring.
For SOC analysts, mastering these commands ensures efficient SecOps management.
Expected Output:
- A fully configured multi-tenant Sentinel workspace.
- Automated log ingestion from Windows/Linux systems.
- Centralized threat detection using KQL analytics.
For further details, visit:
References:
Reported By: Markolauren Multi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
