u/wenttoibiza

Hi all. We are MSSP running Sentinel for around 40 tenants now , the business is growing but already the simple operations is getting painful.

Lighthouse for delegated access , WOrkspace Manager for pushing rules and workbooks. WM updates is slow and sometimes not reflecting , my colleague opened support cases a few times. Cross workspace() work but performance variables. Updating one rule across the tenants when MS changes a template is basically someones entire job.

Per customer tunings , their watchlists , exclusions, also hard to keep separate from the baseline we push.

Anyone running 50-80 tenants in Lighthouse smoothly? Or is just pain at that scale?

Workspace Manager in production or you rolled your own with Bicep , Terraform , Sentinel as COde?

Analysts in Defender XDR unified portal or jumping per-tenant?

And same playbook copied 40 times with small differences, how you handle that?

Hi all. Sentinel bill is getting harder to defeend and i am tring to be smart about Analytics tier , Basic , Auxillary or...just dropping? (for me, is not a real option. But the others say this).

Right now everything go in Analytics. SigninLogs , AADNonIteractive, OfficeActivity , SecurityEvent, MDE tables, plus network and firewall. NonInteractive is almost half of the volume and i dont know how much real detection value we really get.

Thinking to move AADNonIteractive to Auxillary. If you did this, what detections did you lose? Worth it? Anyone using summary rules (at scale) , it is reliable or buggy? How agresive with DCR transformations. ADX for retention only or you actually run detections on it?

Please. not looking for "Turn It Off" advice , thanks.

Hi all,, we have problem with too much noise in our sign in risk rules and the SOC team is very tired of false positives. What is best way for tuning the scheduled analytics rules? Better to use entity mapping with grouping , or make a Watch list for the service accounts we know are good to exclude them ? Also someone is using NRT rules for high fidelity detections without making the ingestion cost explode? thanks

Anyone else having problems with the resident discount (descuento de residente) not applying when booking Vueling to Barcelona? My certificado de empadronamiento is current but the system keeps charging the full price and the call center is usless. Is this happening only to me