I thought I'd create a guide for ingesting multiple tenants' security information from the same platform. For example, if I have multiple GitHub Organizations, and I want to ingest the security data that they have into my single Microsoft Sentinel workspace, you're in the right place. There is a way to accomplish this rather than creating multiple workspaces, which can lead to a fragmented security landscape without any unified context or user and entity behavior analytics (UEBA) across your environment.
To accomplish this we will need to use a newer feature of Microsoft Sentinel called "Codeless Connectors". These specialized Data connector Templates can be deployed multiple times within your Microsoft Sentinel instance with a little customization.
So, what are codeless connectors?
Codeless Connectors are a newer type of template-based connector that leverages the Microsoft Sentinel API to enable connectivity from your data source. These new connector types are written in JSON (So some coding is required) but bring a repeatable pattern if you have to deploy this connector multiple times into your Sentinel Workspace.
To view the currently available solutions you can check them out within your Microsoft Sentinel Workspace under Content Hub, or the other place you can look is at the following link
Microsoft Sentinel GitHub: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions
So, how do I Deploy a Codeless Connector to ingest Data from the same platform from multiple Tenants?
For most organisations, they will have multiple tenants of a particular platform type. For a Security Operations Centre, there will be a need to integrate into these environments to monitor for unusual activity such as user behaviour, or unusual application behaviour. Many people get caught up with integrating into multiple tenants due to the limitations of the connectors they use, A lot of connectors don't come with a section where I can add in another tenant. In order to get around this, follow the steps below.
For the purposes of this walkthrough, I'll use a GitHub deployment, (as an example) but your connector could be anything
First, enable your GitHub Enterprise Audit Connector within Microsoft Sentinel
Microsoft Sentinel > Data Connectors > GitHub Enterprise Audit Log
Within the Connector there is a limitation of adding additional Organisations in, as seen below
To get around this, we will need the template created by the Sentinel community to add additional connectors.
To do this, you can browse https://github.com/Azure/Azure-Sentinel/tree/master/Solutions and find the relevant template for your use case.
To deploy an additional Data Connector for GitHub within Microsoft Sentinel, open your preferred code editor and edit the following lines
"id": "GitHubEcAuditLogPolling",
"title": "GitHub Enterprise Audit Log",
We will rename these fields to the following
"id": "GitHubEcAuditLogPollingalpha",
"title": "GitHub Enterprise Audit Log - Org B",
Your template will look something like this
Copy the code into Microsoft Azure > Deploy a custom template > Build your own template in the editor
Copy in the template code and align the resources to your Microsoft Sentinel Workspace and click create.
After a few seconds you should see the following notification pop up
If you see a Deployment failed, check your code and try again
Head back to your Microsoft Sentinel and you should see the following
Fill in the details for the second GitHub organisation and data will poll into your workspace along with the other GitHub Organisations. Repeat for as many Tenants / Organisations as you require.
For this quick walkthrough on how to create multiple Microsoft Sentinel data connectors as required, I hope this has helped simplify the process of expanding your data sources and enhancing your security and compliance efforts. By establishing multiple connectors tailored to your organization's needs, you're better equipped to collect and analyze crucial security data in real-time.