Blog Post

Microsoft Sentinel Blog
5 MIN READ

Azure Sentinel All-In-One Accelerator

Hesham_Saad's avatar
Hesham_Saad
Icon for Microsoft rankMicrosoft
Feb 02, 2021
Azure Sentinel All in One is a project designed and developed by Javier-Soriano (Senior Program Manager - Microsoft), Hesham_Saad  (Sr. CyberSecurity Technical Specialist - Microsoft) & Sreedh...
Updated Nov 03, 2021
Version 5.0
microsoft sentinel
security
AndrePKI's avatar
AndrePKI
Iron Contributor
Sep 01, 2021

Maybe not a Sentinel question per se, but we are looking how to deploy the associated roles and rights (perhaps from a json source file) for

  • tier 1 Analyst
  • tier 2 Analyst
  • tier 3 Analyst/threat hunter
  • technical management (i.e. responsible for Sentinel configuration, like adding data connectors etc)
  • notebook/workbook/playbook developers
  • notebook/workbook/playbook users (overlapping with tier1/2/3 Analysts)
  • ...

This would map (most likely not 1:1) to the Sentinel roles (Azure Sentinel Reader/Responder/Contributor/Automation Contributor) as well as to several ARM RBAC roles at subscription/resource group/workspace levels and of course things like Reader on the source subscriptions connected.

We are seeking advice on how to do this, and for as much as possible automate it. Of course, I am aware that some things cannot be known/configured beforehand, like some additional rights for in AAD for the AAD data connector (e.g. read and write permissions to AAD diagnostic settings), or maybe this can be added per dataconnector.

 

The ultimate goal would be to manage the entire set-up  of Sentinel from code.

 

Any ideas, suggestions, and/or code? Most appreciated