Hi, I'm in the process of setting up Sentinel with a number of log sources being sent via CEF. It appears that all the logs will go into the CommonSecurityEvents table which I need to separate out. Ideally I'd like to maintain a single Log Analytics workspace and have separate tables for each source (VPN/Firewall,WebGW etc) so I can grant each team access to the tables they need to query. Is there a way to have the CEF events from a specific on-prem collector write to a specific table? Or is there a better to be separating out these log sources in the same workspace?

SoniaCuff I have both the LA agent and the Arc agent installed on both a Windows and Linux box. I've created resource groups to control access to the logs for these servers. When I try and select a scope in Monitor the resource groups do not appear in the selection list, although others do. Each resource group currently only contains the server with the LA and ARC agents on and my (possibly incorrect) assumption what that would allow me to create a boundary for access to the logs each VM is forwarding rather than have everything exposed to the user.

SimonR To seperate to differnt tables you will need to use Logstach as outlined here. That said, you can use resource RBAC as outlined here with a single table. ~ Ofer

Ofer_Shezaf thanks for this, I'd rather not deploy LogStash if I don't have to, the only reason for separate table would be if I couldn't split the logs in any other way, but it looks like resource RBAC might work for us. Based on what I've read from you link, I'd need a separate collector VM for each access boundary. For example if both the firewall and web proxy logs will only be accessed by the Network team then I'll send them via the same Collector VM. Is there a way to set the resource ID on an on-prem collector without using Azure Arc? I'd like to get up and running with this and while Arc maybe a long term solution for us if I can test without it that would be great. Simon

The easiest way to get started is to view the activity logs with the Azure portal. The following screenshot shows an example of role assignment operations in the activity log. It also includes an option to download the logs as a CSV file.Activity logs using the portal - screenshotThe activity log in the portal has several filters.

SimonR : You got things right. No options I am aware of not listed in the blog post.

Separating Logs for RBAC | Microsoft Community Hub

12 Replies

Lewis-H
Iron Contributor
Apr 20, 2020
The easiest way to get started is to view the activity logs with the Azure portal. The following screenshot shows an example of role assignment operations in the activity log. It also includes an option to download the logs as a CSV file.

Activity logs using the portal - screenshot

The activity log in the portal has several filters.
Ofer_Shezaf
Microsoft
Apr 19, 2020
SimonR

To seperate to differnt tables you will need to use Logstach as outlined here. That said, you can use resource RBAC as outlined here with a single table.

~ Ofer
- SimonR
  Brass Contributor
  Apr 20, 2020
  Ofer_Shezaf thanks for this, I'd rather not deploy LogStash if I don't have to, the only reason for separate table would be if I couldn't split the logs in any other way, but it looks like resource RBAC might work for us.
  
  Based on what I've read from you link, I'd need a separate collector VM for each access boundary. For example if both the firewall and web proxy logs will only be accessed by the Network team then I'll send them via the same Collector VM.
  
  Is there a way to set the resource ID on an on-prem collector without using Azure Arc? I'd like to get up and running with this and while Arc maybe a long term solution for us if I can test without it that would be great.
  
  Simon
  - Ofer_Shezaf
    Microsoft
    Apr 20, 2020
    SimonR : You got things right. No options I am aware of not listed in the blog post.

Forum Discussion

Separating Logs for RBAC

12 Replies

Resources