Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Threat Intelligence

How to Prohibit an Azure Sentinel Analyst from Editing a Playbook

Azure Sentinel News Editor by Azure Sentinel News Editor
December 29, 2020
in Threat Intelligence
0
Microsoft is quietly becoming a cybersecurity powerhouse
6.6kViews
363 Shares Share on Facebook Share on Twitter

Recently, I wrote about how to Grant Access to Specific Azure Sentinel Playbooks for Specific Analyst. The idea with that is to ensure that an analyst with meager access can still run Playbooks against Incidents. By default, the Sentinel Reader role is limited in what they can do in Azure Sentinel. As a reminder, here’s the current list of applicable roles that can be assigned to an Azure Sentinel analyst:

Azure Sentinel roles and allowed actions

A customer required recently that in addition to limiting access per Playbook for an analyst, that we could somehow limit the analysts’ abilities even further. The customer wanted the analyst to be able to run a Playbook, but then not have the capability to modify the Playbook logic. My steps outlined previously provided the ability for the Azure Sentinel Reader role to run a Playbook, but they could also modify the Playbook logic.

Working with a colleague from China, Arvin Zhu, the following method was identified and prescribed. I want to thank Arvin for the work on figuring this out and the eagerness for wanting to work together to share with the community.

The following method digs into creating and applying custom Azure roles. In our scenario, the intent is to still give the Azure Sentinel analyst access to run a specific Playbook, but take away (or filter-out) the ability to modify or delete the Playbook.

How to do it

First, use my previous instructions to Grant Access to Specific Azure Sentinel Playbooks for Specific Analyst. Without assign Logic App Contributor access, the analyst will not be able see the specific Playbook in the Playbooks blade.

Next, you need to create a custom role at the Azure Subscription level. In the Azure portal, go to Subscriptions.

Go to Subscriptions

In the IAM blade of the Subscriptions area, click the Add option, and then choose Add custom role.

Add a Custom Role

On the metadata page in the wizard for creating a custom role, give the new role an appropriate role name and a good description.

Name it, give it a good description

Now, on the Permissions tab in the wizard, look for Microsoft.Logic/workflows and choose Other : Run Workflow. Add it.

Set Run Workflows

Next, locate Microsoft.Logic/workflows/triggers and choose Other : Trigger Run and Other : List Trigger Callback URL. Add those.

Set Trigger Run and Trigger Callback URL

Once you’ve added these three specific permissions, your Permissions list should look like the following image.

Final product

Finally, we need to assign the new role to the analyst for the specific Playbook. Go to the Playbook and choose to add a role assignment. It may take a few second to a few minutes for the custom role to show up in the list. Sometimes it takes a while to sync across the Subscription. Once it shows up, select the newly minted, custom role from the list.

Add custom role to Playbook

Now assign the custom role to the specific Azure Sentinel analyst.

Add role assignment to analyst

By walking through these steps, you have effectively given a lower access analyst the ability to run a specific Playbook and also limited the analyst’s ability to modify the logic of the Playbook. You’ve also (hopefully) gotten a taste of why knowledge of creating custom roles can be so important to your work in Azure.

Best Practice

This method works, but I highly recommend that – if at all possible – you just use the normal methods to use the built-in roles to assign access. Why? Well, continually making modifications to access per instance means management of access can quickly get out of control and make the job more difficult. As a security principle you always want to include periodic access reviews as part of policy and unless you adhere to change management, someone may have access they don’t need. Or there may be conflicting access rules that keeps an individual from having the access they need.

Reference: https://azurecloudai.blog/2020/08/20/how-to-prohibit-an-azure-sentinel-analyst-from-editing-a-playbook/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
Threat Intelligence

Tips for Parsing Syslog to Azure Sentinel

December 31, 2020
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
Threat Intelligence

Locate all the Preview Goodies in Your Azure Sentinel Console

December 30, 2020
Vectra AI and Microsoft partner on security integration
Threat Intelligence

Azure Sentinel Learning Path Now Available

December 25, 2020
Next Post
Microsoft suspends 18 Azure accounts tied to China-based hackers

Building the Azure Sentinel Toolbox: MyEventLog

Vectra AI and Microsoft partner on security integration

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

Enriching Windows Security Events with Parameterized Function

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Automating the onboarding on-premises, AWS and GCP VMs on Sentinel with Azure Arc

2 months ago
Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

Remediate Vulnerable Secure Channel Connections with the Insecure Protocols Workbook

3 months ago
Wipro Announces Advanced Cloud SOC Service Powered by Microsoft Azure Sentinel

Insight Launches New Services to Modernize Security Operations with Microsoft Azure Sentinel

3 months ago
ITC Secure Achieves Microsoft Gold Partner Status

Controlling access to Azure Sentinel Data: Resource RBAC

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News