This article is contributed. See the original author and article here.
This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.
Azure Sentinel is built on top of a Log Analytics workspace. You’ll notice that the first step in onboarding Azure Sentinel is to select the Log Analytics workspace you wish to use for that purpose. You can get the full benefit of the Azure Sentinel experience when using a single workspace. Even so, there are some use cases that may require you to have multiple workspaces.
Back in May, we introduced the multiple workspace incident view facilitating central incident monitoring and management across multiple workspaces. The cross-workspace incident view alleviates the challenge of managing several workspaces and provides the ability to investigate them as if you were connected to the original environment.
To help alleviate the challenge and expand the support of managing multiple workspaces, we are delighted to announce that cross workspace Hunting is now available! Cross workspace hunting will empower your threat hunters to query, correlate, and ask the right questions to find issues in the data you already have on your network.
Getting Started with cross-workspace querying
Azure Sentinel supports querying multiple workspaces in a single query, allowing you to search and correlate data from multiple workspaces in a single query.
- Use the workspace() expression to refer to a table in a different workspace.
- Use the union operator alongside the workspace() expression to apply a query across tables in multiple workspaces.
|Note: Identifying a workspace or resource can be accomplished one of several ways: Resource Name, Qualified Name, Workspace ID, and Azure Resource ID.|
Here’s an example:
SecurityEvent | union workspace("WorkspaceName").SecurityEvent | extend WorkspaceId = TenantId | summarize by WorkspaceId
Cross Workspace Hunting
Azure Sentinel provides a starting page provides preloaded query examples designed to get you started and get you familiar with the tables and the query language. These built-in hunting queries are developed by Microsoft security researchers on a continuous basis, adding new queries, and fine-tuning existing queries to provide you with an entry point to look for new detections and identify signs of intrusion that may have gone undetected by your security tools.
Cross workspace hunting will enable your threat hunters to create new hunting queries overlooking multiple queries or modify existing queries as shown below:
|Note: Make sure to review the entire query and add the union & workspace operators as appropriate|
Get started today!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.