Forum Discussion

pavankemi's avatar
pavankemi
Copper Contributor
May 27, 2021
Solved

Multiple vendor monitoring single Azure sentinel console

Team,   Is there a possibility to monitor the same Azure Sentinel console from multiple vendors ( vendor will monitor only the logs ingested by the log sources managed by vendor ) while restricting...
  • GaryBushey's avatar
    GaryBushey
    May 27, 2021

    pavankemi For that to work you would need to use the 2nd option and setup custom roles that can then be used in the Table level RBAC.   It should be noted that all users will be able to see all incidents in the environment and if they can modify one they can modify all.

     

    Depending on what data sources are required for all the queries, you may want to see about using 2 different Azure Sentinel environments and use Azure Lighthouse to be able to see both in one view for the people that need to see all of the incidents.

GaryBushey's avatar
GaryBushey
Bronze Contributor
May 27, 2021

pavankemi There are two ways to do this (and I am not sure Azure Lighthouse would work correctly)

1) Use Azure Lighthouse to allow access to your environment from the 2 vendors.  One vendor would have all the needed rights and the second would only use the Azure Sentinel Reader role.  Then, and this is the part I am not sure would work since I have not tested it, setup the Table Level RBAC but instead of using a custom role, use the Azure Sentinel Reader role to limit what can be seen.

2) Either create accounts for the various people on your environment or use B2B and then create the custom roles to use with table level RBAC.

pavankemi's avatar
pavankemi
Copper Contributor
May 27, 2021
Thanks Gary for the quick response. From your response second vendor uses Azure Sentinel Reader Role. This vendor also need to work on the alerts generated from the device managed by them and create any analytic rules on the devices managed by them. How can this be achieved?
  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    May 27, 2021

    pavankemi For that to work you would need to use the 2nd option and setup custom roles that can then be used in the Table level RBAC.   It should be noted that all users will be able to see all incidents in the environment and if they can modify one they can modify all.

     

    Depending on what data sources are required for all the queries, you may want to see about using 2 different Azure Sentinel environments and use Azure Lighthouse to be able to see both in one view for the people that need to see all of the incidents.

Resources