Multi-workspace View for Azure Sentinel Now in Public Preview

We’ve had a lot of interest from customers to be able to review multiple workspaces in Azure Sentinel. Prior to this release, this was only available through Azure Lighthouse or, alternatively, you could do cross-workspace KQL queries to view merged data. Now, with the multi-workspace view, you can select multiple workspaces as you enter into the Azure Sentinel console and see the Incidents that are associated with those workspaces for which you have proper access.

To work with this new feature, click the checkbox for multiple workspaces and then select the Multiple Workspace View option. (Keep in mind: There’s a current limit of 10 workspaces you can work with at once)

After clicking the Multiple Workspace View option you’re taken to a combined Incidents view for Azure Sentinel.

Clicking on a single workspace works the same as before.

Stay tuned, as I’ll dig a little bit deeper into this feature later this week.

The docs for this feature (including some caveats) are here: Work with incidents in many workspaces at once

Keep in mind, for better management of multiple Azure Sentinel tenants, Azure Lighthouse is still the recommended method, but this new feature is still being developed and additional functionality should arrive over time.


Leave a Reply