Workspace Manager Design
Workspace Manager is a recently introduced feature in Microsoft Sentinel that allows for the seamless and streamlined deployment of security content across multiple Sentinel workspaces. This centralized workspace offers a more convenient and efficient method for content delivery at scale.
Supported Content Types
Here are the active content types supported by the workspace manager:
- Analytics rules
- Automation rules (excluding Playbooks)
- Parsers, Saved Searches and Functions
- Hunting and Livestream queries
- Workbooks
Prerequisites
The Workspace Manager feature requires two or more workspaces to function. Below are the prerequisites.
Role Assignments
- Microsoft Sentinel Contributor Role
Azure Lighthouse
- More than one workspace across multiple Azure Tenants
Architecture Consideration
To ensure effective scalability, it is essential to have a central workspace that consolidates the content intended for publication across member workspaces. The content settings on the central or parent workspace will be published in their original form.
Depending on your scenario, consider these architectures:
- Direct-link is the least complex setup. Control all member workspaces with only one central workspace.
- Co-management supports scenarios where more than one central workspace needs to manage a member workspace. For example, workspaces are simultaneously managed by an in-house SOC team and an MSSP.
- N-Tier supports complex scenarios where a central workspace controls another central workspace. For example, a conglomerate that manages multiple subsidiaries, where each subsidiary also manages multiple workspaces.
Steps to Enable Workspace Manager on Central Workspace
- Navigate to the Settings blade in the parent workspace, and toggle On the workspace manager configuration setting to "Make this workspace a parent".
- Once enabled, a new menu Workspace manager (preview) appears under Configuration.
Onboard Member Workspace
Member workspaces are the set of workspaces managed by the workspace manager. Onboard some or all of the workspaces in the tenant, and across multiple tenants as well (if Azure Lighthouse is enabled).
- Navigate to Workspace Manager and select "Add workspaces" Screenshot shows the Add Workspace menu.
- Select the member workspace(s) you would like to onboard to the workspace manager. Screenshot shows the add workspace selection menu.
- Once successfully onboarded, the Members count increases and your member workspaces are reflected in the Workspaces tab. The screenshot shows the added workspaces and the Members count incremented to 2.
Groups
Workspace manager groups allow you to organize workspaces together based on business groups, verticals, geography, etc. Use groups to pair content items relevant to the workspaces.
To create a group:
- To add one workspace, select Add > Group.
- To add multiple workspaces, select the workspaces and Add > Group from selected.
- On the Create or update group page, enter a Name and Description for the group. The screenshot shows the group creating or updating the configuration page.
- In the Select Workspaces tab, select Add and select the member workspaces that you would like to add to the group.
- In the Select Content tab, you have 2 ways to add content items.
- Method 1: Select the Add menu and choose All content. All active content currently deployed in the central workspace is added. This list is a point-in-time snapshot that selects only active content, not templates.
- Method 2: Select the Add menu and choose Content. A Select content window opens to custom select the content added.
- Filter the content as needed before you Review + create.
- Once created, the Group count increases and your groups are reflected in the Groups tab.
Publish Content to the Group definition
- Select the group > Publish content.
Test Scenarios
Here are a few scenarios that are tested taking Analytics Rule and Automation Rule content types using the workspace manager.
Apart from testing here’s the representation of group-based and content-based workspace manager architecture
Workspace Architecture Diagram
Using the Direct-link approach we designed two significantly different architectures to deploy content.
Approach#1: Group-based Architecture
In the Approach#1 design diagram, all workspaces are collectively added to the Workspace Manager, which acts as the central workspace. The content is organized into groups, as depicted in the accompanying screenshot. While this approach requires careful content selection, it significantly reduces maintenance overhead since all content is centrally managed within the Workspace Manager.
In this approach mutiple content groups are created inside one central workspace which deploys selected content in its member workspaces.
Approach#2: Workspace-based Architecture
As depicted in the Approach#2 design diagram below, it allows for the selection of all content within a workspace for publishing, eliminating the need for careful content selection. This approach minimizes the chances of human error and reduces the likelihood of omitting important content during the content process.
In this approach only one group is created inside each workspace which deploys all content in its member workspaces.