Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

Azure Sentinel News Editor by Azure Sentinel News Editor
December 31, 2020
in SOC
0
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
2.6kViews
821 Shares Share on Facebook Share on Twitter

As a general best practice, you want to configure access to Azure Sentinel resources through the Resource Group and you want to ensure you are providing only the access required i.e., using a least permissive model. Azure Sentinel resource access is applied using the following assignment roles…

Azure Sentinel roles and allowed actions

I talk about these roles, access, and best practices for access based on analyst levels quite often with our customers. Building security team members’ responsibilities is important and a critical part of the SOC workflow. However, one of the first things customers ask during this discussion is about Playbook usage. As you can see from the table above, to actually run Playbooks (apply automation), an analyst is required to have both Azure Sentinel contributor and Logic App contributor roles. Hmmm…so what if you want the Responder or Reader roles to perform automation?

Keep in mind that Playbooks are powerful. In the wrong hands, dangerous things can happen. Who really wants to accidentally lock the CEO out their login account because the password was forgotten, was typed in wrong 10 times in the last hour, and the HelpDesk was never called due to ego? But if it’s going to happen – even on purpose – it’s probably best for a seasoned analyst to take the blame for it. It could be a career-ending move for a Tier 1 analyst.

Creating Playbooks should go through a methodical, logical process. Only create a Playbook out of need and also ensure that the proper teams are involved during the design. Don’t automate just to automate. For example, for those situations where a Playbook causes a user account to be locked or a port to be blocked at the firewall, its best for the Security team to work with the Operations team to make sure it’s done correctly and effectively and that it’s gone through the proper authorizations. Think about it. By applying automation through Playbooks you are effectively shortcutting the Change Management process. Without proper vetting from the proper teams, bad things could happen both technically and politically. Oh…and feelings could be hurt, too. And, what’s worse than that?

So, after all the vetting has taken place and the authorization checkboxes have been ticked, you may determine that certain Playbooks are safe and they might fit a requirement to be run by those who don’t have the overarching Logic App contributor role or god-like powers in either Azure or Azure Sentinel. You probably don’t want a Tier 1 analyst who is assigned the lowly Azure Sentinel Reader role to be able to lockout users, but it might be beneficial for them to do something more simple like ensuring each open Incident has the IP GEO location applied.

Fortunately, since Playbooks are built on Logic Apps and Logic Apps provides the ability to set specific access per resource, you can assign specific Playbook access using Access Control (IAM).

Here’s an example…

In my Azure tenant I have a user account, Jaime Sommers, that has been assigned the Azure Sentinel Reader role. With that role Jaime is limited to only being able to view data in the Azure Sentinel console.

But, I want Jaime to be able to add the GEO location to Incidents using the Get-GeoFromIpandTagIncident Playbook – but only THAT Playbook – and none of the others. That’s going to save our team time as our Tier 2 analysts gear up each day to determine which new Incidents they need to start investigating.

Through the Playbooks blade in the Azure Sentinel console, I access the Access Control (IAM) blade and assign the Logic Apps Contributor role specifically to the user account Jaime Sommers.

Adding the Logic App Contributor role to a specific Playbook for a specific analyst

After a brief sync (it can sometimes take a minute or longer), when Jaime refreshes her Playbooks blade, she can now see the specific Playbook and can then use it to apply GEO location to an Incident she is working on.

Playbook access for Jaime

As you can see in the image above, the bottom screenshot example is Jaime without the specific Logic App Contributor role assigned and the top screenshot example is after she has been granted access to it.

Huzzah!

And, even though Jaime is severely limited in what she can do in the Azure Sentinel console due to her lowly Azure Sentinel Reader role assignment, she can now run the Playbook and GEO is assigned to the Incident.

Want to limit the analyst’s capabilities even further, see: How to Prohibit an Azure Sentinel Analyst from Editing a Playbook.

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
SOC

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Next Post
Microsoft announces security, identity, management, and compliance updates across Azure and Office

Getting Direct URLs for Azure Sentinel Incidents Using KQL

Microsoft is quietly becoming a cybersecurity powerhouse

Display the Azure Sentinel Analytics Rules that have produced Incidents

CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

Creating an Azure Sentinel Taskbar and Start Menu Shortcut and Icon for Quick Access

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Microsoft suspends 18 Azure accounts tied to China-based hackers

4 months ago
What’s New: Multiple playbooks to one analytic rule

What’s New: Multiple playbooks to one analytic rule

5 months ago
What’s new: Microsoft Teams connector in Public Preview

BT supporta Microsoft Azure Sentinel

3 months ago
Extending Visibility and Response with Microsoft Azure Sentinel and BlueVoyant

Extending Visibility and Response with Microsoft Azure Sentinel and BlueVoyant

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Azure Sentinel Notebooks Loses It’s Preview Tag

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by Azure Sentinel News Editor
March 5, 2021
0

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it...

Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021
  • How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository March 3, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News