Using Azure Sentinel with Azure Lighthouse

A recent article:

Configure Azure Lighthouse

detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.

image

Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.

image

You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.

image

You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.

image

Ensure that all the directories are selected.

image

With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.

image

Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.

image

Ensure these are all selected and the Subscription option displays All subscriptions as shown above.

image

With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.

image

With all the workspaces selected, click the View incidents button from the menu along the top as shown above.

image

You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.

This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.