Recently I came across a new feature, that is kinda welcome as a basic Sentinel user. Normally we automate things through BICEP or DevOps, but now this can be done on a MSSP-based way of working in the portal (together with Lighthouse).
The feature is called Workspace Manager and can be found in the settings / settings in your Sentinel Workspace. You’ll have to keep in mind that you need at least one Sentinel that will run as parent workspace:
Following can be automated and deployed through the group/workspace members:
- Analytics rules
- Automation rules (excluding Playbooks)
- Parsers, Saved Searches and Functions
- Hunting and Livestream queries
- Workbooks
By enabling the parent workspace, you can easily deploy all above to all member workspaces. First add the members:
Create a group:
Add the member to your group:
Choose the data you want to update or create (sync):
The sync will run and you can check status here (I selected no content in my test tenant / screenshot tho – but you select everything there):
More information regarding this feature here: https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager
