Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

Azure Sentinel RBAC Review

Azure Sentinel News Editor by Azure Sentinel News Editor
December 25, 2020
in Security and Compliance
0
Microsoft announces security, identity, management, and compliance updates across Azure and Office
4.5kViews
341 Shares Share on Facebook Share on Twitter

I was recently asked by a customer to help prepare a matrix covering role-based access for Sentinel users and administrators. In this article I describe a custom Sentinel Advanced Responder role and several interesting points around Sentinel access management.

Sentinel Access Matrix Example

I recommend setting up user groups to define access for each category of Sentinel user. Assign built-in and custom roles to these groups as needed. The groups can be documented in a matrix for reference and tracking. Consider designating the scope (SUB,RG,WS) and highlighting custom roles. You may also want to designate persistent assignments, temporary elevated access, and hybrid access requirements.

Temporary Access Requirements

Sentinel administrators will need elevated access for certain activities. These credentials can and should only be granted on a temporary basis.

  • Activating and modifying connectors involving Azure services often requires Global Admin or Security Admin.
  • Setting up Notebooks may require activation of Machine Learning services.
  • Activating and developing API-based connectors may require the creation and management of App Registrations in Azure AD.
  • You may need to store and retrieve keys from a Key Vault and Azure AD.
  • Developers may need Sentinel Contributor access to test and deploy new solutions.
  • Sentinel Administrators and Responders may need temporary access to highly secured resources for deeper analysis.

Persistent Access Requirements

  • Your Sentinel Administrator should be approving and periodically reviewing Sentinel access (possibly assigning access).
  • Sentinel Administrators and developers will need access to create analytic rules, hunter queries, workbooks, and playbooks.
  • Sentinel Administrators and developers may need access to Azure Monitor, Azure Automation, Azure Functions, and other related services.
  • Sentinel Administrators and developers may need persistent access to specific blob storage or file shares.
  • Sentinel Administrators and developers may require persistent Application Administrator access when many API connections are maintained.
  • Sentinel Administrators and Responders will likely need access to related security solutions like Defender, Office ATP, and MCAS.
  • Sentinel Administrators and Responders will need access to most source systems and logs for deeper analysis.
  • Sentinel Administrators and Responders will often need access to operational (non-Sentinel) workspaces for deeper analysis.
  • Internal stakeholders may need access to view workbooks and other Sentinel data.
  • External support providers may need persistent access to provide managed services (guest accounts, company managed accounts, or Lighthouse).

Note: Guest users cannot assign incident records unless they are granted Directory Reader permissions in Azure AD. This is assigned per user. Guest users are prevented from reading the directory by default.

Hybrid Access Requirements

Sentinel Administrators and Responders will often need more traditional credentials, especially in a hybrid support model.

  • Persistent or periodic RDP and SSH access to servers.
  • Remote access to event logs and monitoring agent configurations.
  • Access to appliances and network devices like firewalls and Internet proxies.
  • Access to management consoles for related Microsoft solutions like SCOM, SCCM, Intune, and Orchestrator.
  • Access to related 3rd party solutions like ITSM, SolarWinds, AV and EDR, SEIMs, and VMWare.

Taking a Closer Look:

There are three Sentinel RBAC Roles including the Sentinel Contributor, Responder, and Reader roles. There are similar roles for the Log Analytics Workspace, Logic Apps, and other services that you should also consider.

Sentinel uses a Log Analytics workspace that resides within a resource group.

Role based access cannot be set directly on Sentinel. Rather, access is inherited from the workspace, resource group, and subscription.

You need at least read access (in some form) to the resource group. Sentinel access cannot be granted on the workspace directly (using Sentinel Contributor, Sentinel Responder, or Sentinel Reader).

All Sentinel users should have read access to the Resource Group at a minimum.

What is a role in Azure?

A role is a set of allowed and not-allowed resource provider activities. A resource provider is a service and each provider has a defined set of activities (permissions).

  • Roles allow or deny (not-allow) activities from one or more resource provider. For example, Sentinel, Log analytics, and Key Vault.
  • Role definitions can use wildcards to include an entire provider set or common value. For example, “*/read/” for all read activities.
  • There are built-in and custom roles.
  • Roles are cumulative.

Azure includes many built-in roles representing a recommended set of permissions (provider activities). You have the option to create custom roles, choosing your own provider activities. There are many providers and activities to choose from. Creating roles requires a certain amount of testing and the documentation on specific activities is limited. Here are a few tips for creating custom roles:

  • Test your custom roles carefully before making production assignments.
  • Refer to the Built-In Roles documentation to identify target activities.
  • Create a test user and group to represent the target audience. Always assign roles to groups.
  • Log off and log back in with your test account to verify changes.
  • In most cases you will need to use the traditional method for custom roles.
  • There is a new Custom Role Creator though it is limited to specific providers and activities.
  • Do not forget that roles can allow and not-allow.

Having a basic understanding of how these roles are defined will change how you look at roles in the future.

What is Reader access?

Reader is one of the core built-in roles (it gives the user every child activity that ends in “read”). Reader will allow users to view all child resources (except for secrets). This also excludes all activities not defined as ‘read’. There are some activities that are read-only but are not listed specifically as “read” activities. As a Reader you can view most of the data and configuration. Readers cannot see all settings and blades (because many activities do not have “read” in the name).

There are many service-specific roles (including reader roles). For example, Sentinel Reader and Log Analytics Reader. Despite having similar names, they can vary significantly in definition.

Log Analytics Reader is equivalent to the standard Reader (*/read) plus the ability to run searches and view monitoring settings.

Sentinel Reader is not based on “*/read” like Log Analytics Reader. Rather this role grants read access to a list of specific resource providers including SecurityInsights (aka Sentinel), OperationalInsights (Azure Monitor), and a few other related providers.

Why are we talking about Reader?

You need read access to the resource group where your Sentinel workplace resides. Granting access directly to the child workspace is ineffective. Assuming you are using the built-in groups, you need one of the reader roles listed above at the RG level at a minimum (Reader, Log Analytics Reader, or Sentinel Reader). Higher-level roles obviously count as well like Responder or Contributor.

What about Sentinel Responder?

Sentinel Responders can view the Sentinel configuration, query the logs, and assign and close incident records. Responders have some interesting limitations:

  • Sentinel Responder cannot modify configuration (create new rules, change workbooks, etc.)
  • Sentinel Responder cannot create bookmarks.
  • Sentinel Responder cannot use the investigation blade.
  • Sentinel Responder cannot manage watchlists (preview).
  • Sentinel Responder cannot use the behavioral analytics profiles.
  • Sentinel Responder can use the hunting blade but cannot set hunter query favorites.
  • Sentinel Responder cannot delete incident records.

This is a great example of where custom roles become important. Your organization and users will have unique role requirements. Start by evaluating the built-in role and provider activities to grant additional access or restrict access as needed. This will require some trial and error to identify the desired activity. For example, you likely want your SOC responders to create bookmarks, perform investigations, and block the deletion of incident records.

Sentinel Contributor is the Sentinel Administrator role. You do not want to assign Sentinel Contributor simply because your Responder role is too limiting. Though this may be your only option if you rely on built-in roles alone.

Sentinel Advanced Contributor Example

Here is a list of actions and not-actions to create an Advanced Sentinel Responder role. These can be used in a variety of custom role creation templates.

“actions”: [
“*/read”,
“Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action”,
“Microsoft.SecurityInsights/cases/*”,
“Microsoft.SecurityInsights/incidents/*“,
“Microsoft.SecurityInsights/Bookmarks/*”,
“Microsoft.SecurityInsights/Watchlists/*“,
“Microsoft.SecurityInsights/threatIntelligence/*”,
“Microsoft.OperationalInsights/workspaces/analytics/query/action”,
“Microsoft.OperationalInsights/workspaces/savedSearches/*“,
“Microsoft.Insights/alertRules/*”,
“Microsoft.Resources/deployments/*“,
“Microsoft.Support/“
],
“notActions”: [
“Microsoft.SecurityInsights/cases//Delete”,
“Microsoft.SecurityInsights/incidents//Delete”
}

Tips for Role customization

It is best to avoid granting unwanted access in the first place. There are several methods to consider:

  • Start with built-in roles whenever possible.
  • Assign users to groups and roles to groups at the RG or resource level.
  • Assign groups to roles as close to the target resource as possible (or as close as you can support).
  • You can create custom roles to allow and not-allow where the built-in roles do not meet your requirements.
  • Maintain separation of data with separate resource groups. For example, use separate resource groups and workspaces to isolate data (rather than using role-based restrictions).
  • If necessary, consider deny assignments using Azure Blueprints.

Reference: https://azurecloudai.blog/2020/11/30/azure-sentinel-rbac-review/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
ITC Secure Achieves Microsoft Gold Partner Status

Achieving SOC Operational Efficiency for Azure Sentinel Hunting – the Replay

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

A few important updates to the Azure Sentinel CEF Connector

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

How to Connect Crowdstrike to Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

3 months ago
Microsoft says CyberX acquisition will boost Azure IoT security

Microsoft says CyberX acquisition will boost Azure IoT security

4 months ago
Microsoft announces Azure Sentinel SIEM general availability

Microsoft announces Azure Sentinel SIEM general availability

4 months ago
Monitoring your Logic Apps Playbooks in Azure Sentinel

Monitoring your Logic Apps Playbooks in Azure Sentinel

5 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News