Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done.
Components:
How It Works:
Table-level RBAC: Access to the data that is leveraged within the workspace is set at the table level. This prevents the user from being able to read data from the other tables while still being able to see the required data within the workbook.
Resource-level RBAC: Access to just the resource as needed. The resource here is the workbook of interest. Setting access at the resource level prevents the user from being able to see all resources within the resource group.
How to Configure:
Table-level RBAC: Table-level RBAC will leverage a custom role that enables the user to be able to see the workspace and run a query, and a reader role on the table itself. The process is highlighted in the documentation here.
Resource-level RBAC: Resource-level RBAC will limit the scope of visibility to be just to the resource. To set this:
Sharing the Workbook
Since the user is unable to see Microsoft Sentinel, the workbook will need to be shared directly with the user. To do so:
Anticipated Questions:
And that's it. This is a fairly straightforward process that leads to good results. Go ahead and give it a shot and leave comments below if there are any issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.