Home

Least Privilege Permissions on Log Analytics Workspace for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-787504%22%20slang%3D%22en-US%22%3ELeast%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787504%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDocumentation%20on%20the%20RBAC%20design%20for%20Azure%20Sentinel%20is%20a%20little%20vague.%20I%20am%20just%20enabling%20Azure%20Sentinel%20and%20wanted%20to%20understand%20the%20least%20privilege%20permissions%20(as%20we%20share%20the%20Log%20Analytics%20workspace%20with%20the%20Ops%20team).%20What%20are%20the%20least%20privilege%20permissions%20on%20a%20log%20Analytics%20workspace%20to%20create%20%22Analytics%20alerts%22%20in%20Azure%20Sentinel%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CU%3E%3CSTRONG%3EMore%20Detail%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3EI%20have%20experimented%20with%20the%20built%20in%20roles%20%22Log%20Analytics%20Contributor%22%20and%20%22Monitor%20Contributor%22%20on%20the%20resource%20group%20of%20the%20LogAnalytics%20workspace.%20Both%20of%20these%20roles%20do%20not%20allow%20me%20to%20create%20%22Analytics%22%20-%20%22Alerts%22.%3C%2FDIV%3E%3CDIV%3EWith%20the%20on%20%22save%22%20action%20popping%20out%20with%20the%20following%20error%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%22Failed%20to%20save%20alert%20rule%201%3A12%20AM%20Failed%20to%20save%20alert%20rule%20'test'.%20Missing%20necessary%20permissions%20to%20perform%20this%20action.%22%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3EContributor%20on%20the%20LogAnalytics%20workspace%20allows%20me%20save%20the%20Analytics%20alert.%20Obviously%20trying%20to%20tie%20down%20access%20as%20tight%20as%20possible%20is%20there%20another%20built%20in%20role%20that%20I%20can%20apply%3F%20Or%20do%20I%20need%20to%20provide%20the%20Security%20operations%20team%20with%20Contributor%20access%20to%20this%20resource%2Fresource%20group%20for%20other%20things%20(e.g.%20Dashboards%2C%20etc)%3F%20%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790395%22%20slang%3D%22en-US%22%3ERe%3A%20Least%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790395%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F284679%22%20target%3D%22_blank%22%3E%40Fergie635%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3EOur%20recommendation%20would%20be%20to%20give%20reader%20access%20to%20the%20resource%20group%20that%20the%20workspace%20resides%20in%20for%20the%20least%20privileges.%26nbsp%3B%20Obviously%2C%20readers%20wont%20be%20able%20to%20create%20analytics%20and%20dashboards.%26nbsp%3B%20If%20the%20team%20needs%20to%20be%20able%20to%20do%20that%20then%20give%20contributor%20to%20the%20RG%20that%20the%20workspace%20resides%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792685%22%20slang%3D%22en-US%22%3ERe%3A%20Least%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F284679%22%20target%3D%22_blank%22%3E%40Fergie635%3C%2FA%3E%26nbsp%3BMicrosoft%20has%20a%20page%20that%20lists%20a%20lot%20of%20good%20recommendations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Fergie635
New Contributor

Hi

 

Documentation on the RBAC design for Azure Sentinel is a little vague. I am just enabling Azure Sentinel and wanted to understand the least privilege permissions (as we share the Log Analytics workspace with the Ops team). What are the least privilege permissions on a log Analytics workspace to create "Analytics alerts" in Azure Sentinel ?

 

 More Detail

 

I have experimented with the built in roles "Log Analytics Contributor" and "Monitor Contributor" on the resource group of the LogAnalytics workspace. Both of these roles do not allow me to create "Analytics" - "Alerts".
With the on "save" action popping out with the following error:
 
"Failed to save alert rule 1:12 AM Failed to save alert rule 'test'. Missing necessary permissions to perform this action."
 
Contributor on the LogAnalytics workspace allows me save the Analytics alert. Obviously trying to tie down access as tight as possible is there another built in role that I can apply? Or do I need to provide the Security operations team with Contributor access to this resource/resource group for other things (e.g. Dashboards, etc)?  

 

Thanks in advance for your assistance. 

2 Replies

@Fergie635 

Hi

Our recommendation would be to give reader access to the resource group that the workspace resides in for the least privileges.  Obviously, readers wont be able to create analytics and dashboards.  If the team needs to be able to do that then give contributor to the RG that the workspace resides in.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies