Custom Role for Surface Hub Logs in Log ANalytics Workspace

%3CLINGO-SUB%20id%3D%22lingo-sub-1564762%22%20slang%3D%22en-US%22%3ECustom%20Role%20for%20Surface%20Hub%20Logs%20in%20Log%20ANalytics%20Workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1564762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20custom%20Role%20for%20the%20Read%20Access%20of%20the%20Surface%20Hub%20Logs%2C%20that%20are%20ingested%20to%20our%20Log%20Analytics%20Workspace%20with%20the%20Surface%20Hub%20Solution.%20I%20can%20see%20the%20Logs%20and%20Query%20them%20with%20my%20Admin%20Account.%3C%2FP%3E%3CP%3ECause%20of%20Security%20Reasons%2C%20we%20need%20a%20custom%20Role%2C%20that%20only%20can%20access%20the%20Surface%20Hub%20Logs%2C%20but%20none%20of%20the%20other%20Logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20JSON%20i%20used%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%7B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Name%22%3A%26nbsp%3B%22Surface%26nbsp%3BHub%26nbsp%3BLog%26nbsp%3BReader%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Description%22%3A%26nbsp%3B%22Custom%26nbsp%3BLog%26nbsp%3BAnalytics%26nbsp%3BReader%26nbsp%3BRole%26nbsp%3Bthat%26nbsp%3Bcan%26nbsp%3Bonly%26nbsp%3Bview%26nbsp%3BSurface%26nbsp%3BHub%26nbsp%3BLogs%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Actions%22%3A%26nbsp%3B%5B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceHealth%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceAppCrash%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceAppLaunch%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceCalendar%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceCleanup%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceConnectSession%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceEtw%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceHardwareHealth%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceHeartbeat%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceSkypeHeartbeat%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceSkypeSignIn%2Fread%22%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2Fquery%2FDeviceSleepState%2Fread%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22dataActions%22%3A%26nbsp%3B%5B%5D%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22notActions%22%3A%26nbsp%3B%5B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22Microsoft.OperationalInsights%2Fworkspaces%2FsharedKeys%2Fread%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22notDataActions%22%3A%26nbsp%3B%5B%5D%2C%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22AssignableScopes%22%3A%26nbsp%3B%5B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22%2Fsubscriptions%2F****%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%7D%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThat%20works%20well%2C%20but%20when%20i%20would%20like%20to%20add%20any%20of%20the%20SurfaceHub%20Tables%20to%20the%20Actions%2C%20there%20comes%20and%20error.%20I%20can%20also%20not%20see%20them%20in%20the%20Permissions%20for%20the%20Custom%20Role.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CEM%3E'Microsoft.OperationalInsights%2Fworkspaces%2FSurfaceHubEtw%2Fread'%20does%20not%20match%20any%20of%20the%20actions%20supported%20by%20the%20providers.%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWould%20be%20great%20if%20anybody%20has%20been%20through%20this%2C%20or%20maybe%20can%20tell%20me%20where%20i%20can%20address%20the%20Surface%20Hub%20Logs%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ESurfaceHubCalendar%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ESurfaceHubConnectSessions%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ESurfaceHubEtw%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ESurfaceHubHeartbeat%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ESurfaceHubSkypeSignIn%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%20%26amp%3B%20Regards%2C%20Peter%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1565109%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20Role%20for%20Surface%20Hub%20Logs%20in%20Log%20ANalytics%20Workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1565109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294699%22%20target%3D%22_blank%22%3E%40Peter_Beckendorf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20not%20an%20expert%20for%20the%20Surface%20Hub%20solution%2C%20but%20the%20SurfaceHub*%20tables%20you%20mention%20are%20not%20part%20of%20the%20Azure%20Monitor%20reference%20for%20LA%20tables.%20However%2C%20the%20Device*%20tables%20are%20all%20there.%20Are%20you%20maybe%20trying%20to%20use%20deprecated%20tables%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Freference%2Ftables%2Ftables-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Freference%2Ftables%2Ftables-category%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1565174%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20Role%20for%20Surface%20Hub%20Logs%20in%20Log%20ANalytics%20Workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1565174%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%3C%2FP%3E%3CP%3EI%20know%20those%20tables%2C%20but%20i'm%20not%20able%20to%20find%20those%20referenced%20in%20my%20Log%20Analytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20%26amp%3B%20Kind%20Regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPeter%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi All,

 

I created a custom Role for the Read Access of the Surface Hub Logs, that are ingested to our Log Analytics Workspace with the Surface Hub Solution. I can see the Logs and Query them with my Admin Account.

Cause of Security Reasons, we need a custom Role, that only can access the Surface Hub Logs, but none of the other Logs.

 

Here is the JSON i used:

 

  {
    "Name": "Surface Hub Log Reader",
    "Description": "Custom Log Analytics Reader Role that can only view Surface Hub Logs",
    "Actions": [
          "Microsoft.OperationalInsights/workspaces/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHealth/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceAppCrash/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceAppLaunch/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceCalendar/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceCleanup/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceConnectSession/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceEtw/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHardwareHealth/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceHeartbeat/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSkypeHeartbeat/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSkypeSignIn/read",
          "Microsoft.OperationalInsights/workspaces/query/DeviceSleepState/read"
        ],
    "dataActions": [],
    "notActions": [
          "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
        ],
    "notDataActions": [],
    "AssignableScopes": [
        "/subscriptions/****"
    ]
  }
 
That works well, but when i would like to add any of the SurfaceHub Tables to the Actions, there comes and error. I can also not see them in the Permissions for the Custom Role.
 
'Microsoft.OperationalInsights/workspaces/SurfaceHubEtw/read' does not match any of the actions supported by the providers.
 
Would be great if anybody has been through this, or maybe can tell me where i can address the Surface Hub Logs:
 
SurfaceHubCalendar
SurfaceHubConnectSessions
SurfaceHubEtw
SurfaceHubHeartbeat
SurfaceHubSkypeSignIn
 
Thanks & Regards, Peter
2 Replies

@Peter_Beckendorf 

 

I am not an expert for the Surface Hub solution, but the SurfaceHub* tables you mention are not part of the Azure Monitor reference for LA tables. However, the Device* tables are all there. Are you maybe trying to use deprecated tables?

 

https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/tables-category

Hi @hspinto,

 

Thanks for your response.

I know those tables, but i'm not able to find those referenced in my Log Analytics.

 

Thanks & Kind Regards,

 

Peter