Introducing Workspace Manager
Workspace Manager, a cutting-edge feature recently unveiled in its public preview phase, is poised to become an essential tool for SOC enginers. In this blog post, we will provide a brief overview of the functionality Workspace Manager offers, explore the underlying mechanics, and share our initial thoughts on this innovative feature.
Capabilities of Workspace Manager
- At its current stage, Workspace Manager has certain limitations, but it still offers a range of features to manage key components of a multi sentinel setup. These include:
- Analytic rules: Streamline the process of defining and managing the conditions for detecting potential threats or anomalies.
- Automation rules: Simplify the creation and maintenance of automated actions in response to specific events or alerts.
- Workbooks: Facilitate the organization and visualization of data, enabling easier analysis and decision-making.
- Kusto functions: Support the implementation and management of hunting queries, parsers, and other essential aspects of the Kusto Query Language (KQL).
It is important to note that Workspace Manager currently does not support playbooks, nor does it have the ability to delete content. However, as the feature continues to evolve and improve, we anticipate that these limitations will be addressed in future iterations.
Architecture
Leveraging the power of Azure Lighthouse, Workspace Manager is designed to streamline the management of multiple workspaces. To effectively utilize this feature, users must possess Microsoft Sentinel Contributor roles on all workspaces they intend to manage, as well as the primary workspace from which they will manage others.
Microsoft's official documentation outlines three distinct architectural approaches to using Workspace Manager:
- Straightforward management: Ideal for managing a small number of workspaces, this approach simplifies the process of overseeing multiple environments.
- Co-management: This approach enables collaboration between multiple parties to effectively manage workspaces, offering a more flexible solution.
- Nested configurations: Designed for complex customer environments, nested configurations allow for the creation of hierarchical structures that facilitate more nuanced workspace management.
- For Managed Security Service Providers (MSSPs), Workspace Manager offers various options to cater to different client requirements, whether it be simple workspace management, co-management, or nested configurations for intricate environments.
Initial Impressions
In my initial impressions of Workspace Manager, I found it to be quite user-friendly in terms of setup and configuration when compared to the foundational Sentinel as Code concept. The tool enables more precise content control using group configurations and provides a seamless content deployment experience. Furthermore, it offers the advantage of creating nested workspaces using N-Tier architecture and allows for scheduling regular updates. However, there are some limitations, such as lack of playbook support and limited push capabilities for playbooks not attributed or attached to analytic and automation rules.