Maybe not a Sentinel question per se, but we are looking how to deploy the associated roles and rights (perhaps from a json source file) for
- tier 1 Analyst
- tier 2 Analyst
- tier 3 Analyst/threat hunter
- technical management (i.e. responsible for Sentinel configuration, like adding data connectors etc)
- notebook/workbook/playbook developers
- notebook/workbook/playbook users (overlapping with tier1/2/3 Analysts)
- ...
This would map (most likely not 1:1) to the Sentinel roles (Azure Sentinel Reader/Responder/Contributor/Automation Contributor) as well as to several ARM RBAC roles at subscription/resource group/workspace levels and of course things like Reader on the source subscriptions connected.
We are seeking advice on how to do this, and for as much as possible automate it. Of course, I am aware that some things cannot be known/configured beforehand, like some additional rights for in AAD for the AAD data connector (e.g. read and write permissions to AAD diagnostic settings), or maybe this can be added per dataconnector.
The ultimate goal would be to manage the entire set-up of Sentinel from code.
Any ideas, suggestions, and/or code? Most appreciated