Hi, all! Rod Trent here. I am a Cybersecurity CE/Consultant at Microsoft and working with Microsoft Sentinel. I also blog for our Secure Infrastructure Blog and have quite a few Microsoft Sentinel articles posted there already.
Customers ask quite often how they can share their Workbooks with others outside of Microsoft Sentinel, i.e., give access to the valuable visualizations/reports to those that don't need full Microsoft Sentinel access.
The solution is actually much easier than it might seem and involves a very simple method of using the pinning features of Workbooks and setting appropriate RBAC rights.
The most important piece is ensuring that the proper, least privilege rights are in place to enable viewing of the Workbook data on the Azure Dashboard. But, before digging into that, read my recent walkthrough for properly Pinning Entire Azure Sentinel Workbooks to Azure Dashboards.
After understanding how best to promote the Workbook data to an Azure Dashboard, now you just need to set the proper access rights.
When you follow the instructions listed above, part of the pinning process is saving the dashboard to a resource group. By default, the resource group is dashboards, as shown in the next image.
The dashboards resource group (or whatever you rename it to) needs to have Reader role assignment in place for the individual or individuals that need access to the specific Dashboard. As shown below, I have an Azure Active Directory group called AzureSentinelDashboards with the Reader role on the dashboards resource group. As a best practice, you should always assign groups versus individual role assignments. The user I want to give Dashboard access to, Andre Rene Roussimoff, is a member of the AzureSentinelDashboards group. This gives Andre proper access to the dashboard but doesn't yet give him access to the Azure Sentinel data. To do that, I have to also assign proper Log Analytics workspace access.
After the dashboards role has been assigned, I now need to assign access to the Log Analytics workspace for Azure Sentinel. This ensures that the user or users can view the data in addition to having access to the Azure Sentinel Workbook that has been pinned as a shared Azure Dashboard.
In the Access control for the Azure Sentinel Log Analytics workspace, I assign the AzureSentinelDashboards group as a Reader of the resource.
As shown in the next image, Andre now has access to the dashboard and also the Azure Sentinel Workbook data.
Summary
Keep in mind, though -- this is simply Reader access. If Andre tries to click on any of the Workbook's dynamic components, he'll get an error message. But, still...this gives Microsoft Sentinel analysts a quick and easy way to make Workbooks and reporting data available to those that shouldn't have full access to the Microsoft Sentinel console.
P.S. If you've been following along, I hope you've picked up that there's a TV theme to my personal Microsoft Sentinel demo site. Any guess how Andre Rene Roussimoff plays into that TV theme?
* Check out my other blog for more Azure Sentinel content: Rod Trent at the Secure Infrastructure Blog
* Follow me on Twitter: https://twitter.com/rodtrent
Microsoft
