By liortamir and Azure Sentinel News
Now available: Grant permissions directly to a playbook to operate on Azure Sentinel, instead of creating additional identities.
Azure Sentinel Logic Apps connector is the bridge between Sentinel and Playbooks, serving as the basis for incident automation scenarios. The connector requires an identity on whose behalf it will operate on Azure Sentinel. Until now, you could do one of the following: use an Azure AD user which has been assigned an Azure Sentinel RBAC role, or create a Service Principal (for example, in form of an Azure AD registered application) and grant it the Azure Sentinel RBAC role.
Each one of these options has its advantages, but also limitations: Many would prefer not to authenticate with a user to a tool that generates automated actions. It is harder to audit (for example, using the incident table) which actions have been taken on behalf of a user and which are made by the playbook. It also makes less sense to see, for example, new comments that were generated by a playbook, but appear as if a user is their author. Also, if a user leaves the organization, you need to update all the connections that use its identity.
The service principal connection type allows us to create a registered application and use it as the identity behind the connector. You can define what this app can do, who can access it and what resources can this app access. It’s easy to delete it or replace its credentials if it’s suspected to have been compromised. For these reasons it’s great from a security perspective, but it still requires managing as another identity in the cloud that has credentials and permissions which potentially others can use.
Now, with the availability of Managed Identity for the Azure Sentinel connector, you can give permissions directly to the playbook (Logic App workflow resource), so Sentinel connector actions will operate on its behalf, as if it were an independent object which has permissions on Azure Sentinel. This lowers the number of identities you have to manage and gives the power to give access directly to the resource that operates.
How does it work?
When you turn on this feature in the Logic App, it is registered with Azure Active Directory and represented by an object ID. This identity can be assigned an Azure RBAC role on your Sentinel Workspace. The Azure Sentinel connector is configured to operate on its behalf as the selected API connection referenced by this connector.
How to use it?
To start using this new capability:
Turn on managed Identity in the Logic Apps resource
- In the Logic apps resource page, go to Identity.
- In System assigned tab, turn the status toggle to on.
- Click on Save. You will get a notification that this playbook was registered with Azure Active Directory:
Also, object ID will appear:
- In Azure Sentinel, go to Settings -> workspace settings -> Access Control (IAM)
- Click on Add -> Add role assignment
- Choose Azure Sentinel Responder role, and search for the playbook name. Select it and click save.
Authenticate to Azure Sentinel Connector
- In Logic Apps designer, in any of the Azure Sentinel connector steps, select Connect with managed identity
- Choose a name that will be affiliated with this connection, and click on Create
Other connectors supporting managed identity
Thanks to new Azure Logic Apps feature, more Azure AD-based connectors allow this as well. Currently, the following connectors support this feature:Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook, Azure Automation, Azure Container Instance, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Monitor Logs, Azure Resource Manager, Azure Sentinel, HTTP with Azure AD.