Home
%3CLINGO-SUB%20id%3D%22lingo-sub-965043%22%20slang%3D%22en-US%22%3ETable%20Level%20RBAC%20In%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965043%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%23table-level-rbac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3ETable%20level%20RBAC%3C%2FSTRONG%3E%26nbsp%3B%3C%2FA%3Eallows%20you%20to%20define%20more%20granular%20control%20to%20data%20in%20a%20Log%20Analytics%20workspace%20in%20addition%20to%20the%20other%20permissions%20%3CSTRONG%3Eis%20now%20available%20for%20Log%20analytics%20and%20for%20Azure%20sentinel%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEarlier%20this%20year%2C%20my%20colleague%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F214230%22%20target%3D%22_blank%22%3E%40Tiander%20Turpijn%3C%2FA%3E%3C%2FSPAN%3E%26nbsp%3Bpublished%20a%20great%20post%20on%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-practices-for-designing-an-Azure-Sentinel-or-Azure-Security%2Fba-p%2F832574%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EBest%20practices%20for%20designing%20an%20Azure%20Sentinel%20or%20Azure%20Security%20Center%20Log%20Analytics%20workspace%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHis%20post%20shares%20in%20great%20detail%20the%20architecture%20and%20confederation%20for%20centralizing%20log%20analytics%20workspace%20vs%20multi%20workspaces%20in%20Sentinel%20and%20Azure%20security%20center.%3C%2FP%3E%0A%3CP%3EOn%20this%20blog%20post%2C%20we%20will%20review%20how%20the%20Table%20level%20RBAC%20lets%20you%20ingest%20your%20collected%20data%20into%20a%20centralize%20workspace%20and%20still%20keep%20your%20data%20segregate%20for%20a%20specific%20user%20or%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2047189074%22%20id%3D%22toc-hId-2047189074%22%3EExample%20use%20case%3C%2FH1%3E%0A%3CP%3EContoso%20installed%20several%20Linux%20servers%20and%20wants%20to%20send%20their%20performance%20logs%20into%20Azure%20Sentinel%20workspace%20and%20enjoy%20Azure%20Sentinel%20advance%20Features.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Contoso%20OPS%20team%20that%20manage%20the%20performance%20monitor%20workload%20in%20the%20organization%20need%20access%20only%20to%20the%20performance%20log%20table%20and%20not%20to%20Other%20sensitive%20data%20like%20the%20security%20events%20logs%20that%20store%20on%20the%20same%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--504967887%22%20id%3D%22toc-hId--504967887%22%3EConfigure%20RBAC%20table%20Level%20Access%3C%2FH1%3E%0A%3CP%3ETo%20configure%20the%20RBAC%20table%20level%20access%20we%20need%20to%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDefine%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fcustom-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERBAC%20custom%20role%3C%2FA%3E%20by%20creating%20custom%20JSON%20file%20that%20looks%20like%20this%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22Name%22%3A%20%22Contoso%20Performance%20Monitor%20Team%22%2C%0A%20%20%20%20%22Id%22%3A%20null%2C%0A%20%20%20%20%22IsCustom%22%3A%20true%2C%0A%20%20%20%20%22Description%22%3A%20%22Enable%20users%20to%20monitor%20Linux%20servers%20performance%20logs%22%2C%0A%20%20%20%20%22Actions%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Microsoft.OperationalInsights%2Fworkspaces%2Fread%22%2C%0A%20%20%20%20%20%20%20%20%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2Fread%22%2C%0A%20%20%20%20%20%20%20%20%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FPerf%2Fread%22%0A%20%20%20%20%5D%2C%0A%20%20%20%20%22NotActions%22%3A%20%5B%0A%20%20%20%20%5D%2C%0A%20%20%20%20%22AssignableScopes%22%3A%20%5B%0A%20%20%20%20%20%20%20%22%2Fsubscriptions%2F8f153238-e602-xxxx-xxxx-3043fbe50918%22%0A%20%20%20%20%5D%0A%20%20%7D%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Add%20the%20custom%20role%20to%20our%20subscription%2C%20run%20the%20above%20PS%20command%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.resources%2Fnew-azroledefinition%3Fview%3Dazps-2.8.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENew-AzRoleDefinition%3C%2FA%3E%20and%20Point%20to%20the%20custom%20role%20JSON%20file%20from%20the%20preview%20step.%3C%2FP%3E%0A%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%3CEM%3ETo%20run%20AZ%20PowerShell%20commands%20first%20install%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Finstall-az-ps%3Fview%3Dazps-2.8.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAZ%20PS%20module%3C%2FA%3E%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-php%22%3E%3CCODE%3ENew-AzRoleDefinition%20-InputFile%20%22C%3A%5CUsers%5Cyanivsh%5COneDrive%5CDemos%5CCustom_RBAC.json%22%0A%0A%0AName%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Perf%20Monitor%20Team%0AId%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20ab403341-d1f6-4cea-ae97-aea203b895a1%0AIsCustom%20%20%20%20%20%20%20%20%20%3A%20True%0ADescription%20%20%20%20%20%20%3A%20Enable%20users%20to%20monitor%20Linux%20server%20performance%20logs%0AActions%20%20%20%20%20%20%20%20%20%20%3A%20%7BMicrosoft.OperationalInsights%2Fworkspaces%2Fread%2C%20Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2Fread%2C%20Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FPerf%2Fread%7D%0ANotActions%20%20%20%20%20%20%20%3A%20%7B%7D%0ADataActions%20%20%20%20%20%20%3A%20%7B%7D%0ANotDataActions%20%20%20%3A%20%7B%7D%0AAssignableScopes%20%3A%20%7B%2Fsubscriptions%2F8f153238-e602-427e-a7c0-xxxxxxx50918%7D%20%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20Add%20user%20that%20part%20of%20the%20OPs%20team%20to%20the%20new%20custom%20role%20and%20give%20him%20also%20Azure%20Sentinel%20Reader%20Built-in%20role%20at%20the%20subscription%20level%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151936i514F890B3486DE4A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22IAM.jpg%22%20title%3D%22IAM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E4.%26nbsp%3BWhen%20Ops%20user%20opens%20Azure%20Sentinel%20logs%20tab%20and%20queires%26nbsp%3B%3CSTRONG%3Epref%20table%3C%2FSTRONG%3E%20he%20can%20retrieve%20the%20results%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151937i0E77701C6CFC470A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22perf.jpg%22%20title%3D%22perf.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20the%20same%20user%20tries%20to%20query%20the%20SecurityEvent%20table%20or%20any%20other%20tables%20in%20Azure%20Sentinel%20workspace%2C%20no%20results%20found.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151938iD4CD64DF68E1E888%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22securityevents.jpg%22%20title%3D%22securityevents.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20blog%20post%2C%20we%20reviewed%20the%20benefit%20of%20RBAC%20table%20permission%20and%20how%20to%20configure%20it%20in%20a%20real-Life%20scenario.%3C%2FP%3E%0A%3CP%3EThis%20feature%20can%20leverage%20Azure%20users%20to%20send%20their%20collected%20data%20to%20a%20centralize%20workspace%20and%20enjoy%20The%20advance%20analytic%2C%20hunting%20and%20ML%20and%20keep%20their%20data%20segregation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-965043%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%23table-level-rbac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3ETable%20level%20RBAC%3C%2FSTRONG%3E%26nbsp%3B%3C%2FA%3Eallows%20you%20to%20define%20more%20granular%20control%20to%20data%20in%20a%20Log%20Analytics%20workspace%20in%20addition%20to%20the%20other%20permissions%20%3CSTRONG%3Eis%20now%20available%20for%20Log%20analytics%20and%20for%20Azure%20sentinel%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20927px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151939i3DDAF2B4D04FB545%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22preview_pic.jpg%22%20title%3D%22preview_pic.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Table level RBAC allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions is now available for Log analytics and for Azure sentinel.

 

Earlier this year, my colleague @Tiander Turpijn published a great post on Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace 

His post shares in great detail the architecture and confederation for centralizing log analytics workspace vs multi workspaces in Sentinel and Azure security center.

On this blog post, we will review how the Table level RBAC lets you ingest your collected data into a centralize workspace and still keep your data segregate for a specific user or group.

 

Example use case

Contoso installed several Linux servers and wants to send their performance logs into Azure Sentinel workspace and enjoy Azure Sentinel advance Features. 

The Contoso OPS team that manage the performance monitor workload in the organization need access only to the performance log table and not to Other sensitive data like the security events logs that store on the same workspace.

 

Configure RBAC table Level Access

To configure the RBAC table level access we need to:

 

  1. Define a RBAC custom role by creating custom JSON file that looks like this:

 

{
    "Name": "Contoso Performance Monitor Team",
    "Id": null,
    "IsCustom": true,
    "Description": "Enable users to monitor Linux servers performance logs",
    "Actions": [
        "Microsoft.OperationalInsights/workspaces/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/Perf/read"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
       "/subscriptions/8f153238-e602-xxxx-xxxx-3043fbe50918"
    ]
  }

 

 

2. Add the custom role to our subscription, run the above PS command New-AzRoleDefinition and Point to the custom role JSON file from the preview step.

To run AZ PowerShell commands first install the AZ PS module

 

 

New-AzRoleDefinition -InputFile "C:\Users\yanivsh\OneDrive\Demos\Custom_RBAC.json"


Name             : Perf Monitor Team
Id               : ab403341-d1f6-4cea-ae97-aea203b895a1
IsCustom         : True
Description      : Enable users to monitor Linux server performance logs
Actions          : {Microsoft.OperationalInsights/workspaces/read, Microsoft.OperationalInsights/workspaces/query/read, Microsoft.OperationalInsights/workspaces/query/Perf/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/8f153238-e602-427e-a7c0-xxxxxxx50918} 

 

 

3. Add user that part of the OPs team to the new custom role and give him also Azure Sentinel Reader Built-in role at the subscription level:

 

IAM.jpg

4. When Ops user opens Azure Sentinel logs tab and queires pref table he can retrieve the results:

 

perf.jpg

 

When the same user tries to query the SecurityEvent table or any other tables in Azure Sentinel workspace, no results found.

 

securityevents.jpg

 

In this blog post, we reviewed the benefit of RBAC table permission and how to configure it in a real-Life scenario.

This feature can leverage Azure users to send their collected data to a centralize workspace and enjoy The advance analytic, hunting and ML and keep their data segregation.