IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Wed January 17, 2024 06:52 PM

    Hello Community, 

    I'm looking to get some confirmation on whether this application supports onboarding additional Sentinel tenants (each with their own unique tenant_id and client_id). My assumption is that this would be possible by configuring multiple app.config files under the application. If that is the case, is there a limit to how many configuration files this app supports?

    Thanks!



    ------------------------------
    Nick B
    ------------------------------


  • 2.  RE: Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Wed January 24, 2024 08:16 AM

    Hi Nick 

    I have reached out to the wider team to get an answer for you.

    They should be in contact shortly

    Regards

    John



    ------------------------------
    John Quirke
    ------------------------------

    Original Message


  • 3.  RE: Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Mon February 05, 2024 05:01 PM

    Hey John, any update?



    ------------------------------
    Nick B
    ------------------------------

    Original Message


  • 4.  RE: Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Tue February 06, 2024 08:39 AM

    Hi Nick,

    Sentinel does support multiple subscriptions, but not multiple tenants and clients. I think that may be something with the current profile framework. I would suggest adding this as a request for enhancement so we can track: https://ideas.ibm.com/.

    Regards,
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


  • 5.  RE: Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Tue February 06, 2024 04:20 PM

    Hey Mark, would you propose any workaround for this? I'd imagine adding additional app hosts each with their own instance of Sentinel would do the trick? This is a pretty basic requirement that most organizations and MSSPs are beginning to need. 



    ------------------------------
    Nick B
    ------------------------------

    Original Message


  • 6.  RE: Onboarding additional tenants to Microsoft Azure Sentinel app

    Posted Wed February 07, 2024 10:15 AM

    Hi Nick, 

    Unfortunately, an app cannot be assigned to multiple App Hosts, and the same app cannot be imported more than once.

    There is a way through an integration server to defined multiple app.config files, one per tenant. Then, running resilient-circuits for each app.config file, you should be able to pull in incidents from Sentinel. Using a python environment such as pyenv and pyenv-virtualenv would be a good way to create code separation.

    The additional challenge with this solution is associated with the Sentinel functions which return status and comments back to the Sentinel incident. Functions operate on one message destination. In order to send results back, each function would need to be cloned, using a tenant specific message destination. And a separate playbook would be needed per cloned function to run for each tenant. That can be very tedious to setup and maintain. 

    I'm sorry we don't have a simpler solution for you at the moment.

    Regards,
    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


Related Content