Felipe Binotto's Blog: Multi-tenant or multi-workspace Azure Sentinel Workbooks

By default, workbooks in Azure Sentinel display data from a single tenant and a single log analytics workspace. This can be a problem when you are managing multiple Sentinels.

Javier Soriano created a nice article which can be found HERE, where he details how to make a workbook multi-tenant or multi-workspace.

In this post, I will skip the explanations he makes and focus on a step-by-step configuration on making the workbook multi-tenant or multi-workspace enabled.

Make sure you have access to the workspaces you are trying to visualize.

Let's get started. The first step is to go to the Workbooks and save one of the templates if you haven't already.

Once saved, click to view the saved workbook.

Click on Edit.

Click on Edit again but this time at the right side of the screen as displayed below.

Click on Add Parameter

Configure the new parameter as follows:

Parameter name: Workspace
Display name: Workspace
Parameter type: Resource picker
Required: True
Allow multiple selections: True
Get data from: Query

For the query, select Azure Resource Graph as the Data source and on the Subscription dropdown click on Load all subscriptions if you want to select more than one subscription. Then select the subscriptions.

Now enter the following query and it should return all the available workspaces. Select to include all in the dropdown. Hit Save.

resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' | project id = tostring(properties.workspaceResourceId)

Click on Done editing.

Once the workspace resource picker is done, we need to go to each of the visualizations / queries and change them to use the new workspace resource picker we have created.

Click on Edit on the visualization / query you want to change.