Azure Sentinel with Lighthouse

%3CLINGO-SUB%20id%3D%22lingo-sub-1157468%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157468%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20deployed%20Azure%20Lighthouse%20to%20manage%20Azure%20Sentinel%20with%20Azure%20Sentinel%20Contributor%20and%20Azure%20Logic%20App%20Contributor%20roles.%26nbsp%3B%20we%20can%20access%20client's%20Sentinel.%3C%2FP%3E%3CP%3E%3CSPAN%3EWe've%20got%20a%20few%20incidents%20now.%20we%20can%20click%20on%20the%20investigate%20which%20shows%20a%20nice%20graph%20and%20all%2C%20but%20we%20have%20some%20limitations.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWe%20can't%20expand%20entities%20like%20users%20we%20just%20get%26nbsp%3BAADUSERID%3A%205xxxx-xxxxxx-xx%20and%26nbsp%3BFRIENDLYNAME%3A%205xxxx-xxxx-xxxxx%20but%20not%20the%20actual%20user%20name.%3C%2FLI%3E%3CLI%3EWe%20get%20basic%20IP%20information%2C%20no%20hostnames%26nbsp%3B%3C%2FLI%3E%3CLI%3EWe%20can't%20assign%20the%20incident%20to%20client%20users%20(only%20our%20tenant%20users)%2C%20likely%20because%20we're%20missing%20the%20permission%20to%20list%20tenant%20users%20%3F%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158082%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158082%22%20slang%3D%22en-US%22%3E1.%20From%20which%20Log%20Analytics%20Table%20does%20that%20data%20come%20from%2C%20or%20which%20Alert%20(or%20is%20a%20custom%20one)%20is%20the%20Incident%20generated%3F%20Is%20it%20Signinlogs%3F%3CBR%20%2F%3E2.%20see%20%231%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1163220%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E.%20From%20which%20Log%20Analytics%20Table%20does%20that%20data%20come%20from%2C%20or%20which%20Alert%20(or%20is%20a%20custom%20one)%20is%20the%20Incident%20generated%3F%20Is%20it%20Signinlogs%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ethis%20is%20an%20alert%20from%20Firewall%20related%20to%20Key%20vault%20access%20.%26nbsp%3B%20this%20is%20not%20custom%20one%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eso%20my%20main%20issues%20are%20the%20i%20am%20using%20lighthouse%20to%20access%20customers%20sentinel%20and%20i%20can%20not%20see%20customers%20users%20when%20i%20want%20to%20assign%20an%20incident.%20so%20wondering%20if%20this%20is%20not%20possible%20at%20the%20moment%20or%20i%20need%20to%20do%20some%20role%20to%20do%20this.%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Esecond%20is%20that%20when%20i%20investigate%20an%20incident%20I%20can%20not%20see%20the%20user%20name%20of%20the%20account%20involved%26nbsp%3Bin%20that%20incident.%20is%20this%20also%20related%20to%20the%20some%20permission.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1486104%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1486104%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548232%22%20target%3D%22_blank%22%3E%40fm1984%3C%2FA%3E%26nbsp%3BWe%20are%20having%20the%20same%20with%20seeing%20the%20customer's%20user.%26nbsp%3B%20Have%20you%20found%20a%20role%20or%20another%20solution%20to%20solve%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1488762%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1488762%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548232%22%20target%3D%22_blank%22%3E%40fm1984%3C%2FA%3E%26nbsp%3BIn%20regards%20to%20the%203rd%20bullet%20point%2C%20you%20are%20correct%20that%20Azure%20Lighthouse%20will%20not%20be%20able%20to%20assign%20local%20users%20to%20an%20Incident.%20From%20my%20research%2C%20this%20would%20require%20%22Directory%20Reader%22%20rights%20that%20can%20only%20be%20granted%20at%20the%20Azure%20AD%20level%20and%20not%20through%20Lighthouse.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1488884%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1488884%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20info.%26nbsp%3B%20This%20is%20what%20we%20are%20seeing.%26nbsp%3B%20In%20the%20customer%20tenant%2C%20security%20user%20can%20see%20who%20is%20assigned%20an%20incident.%26nbsp%3B%20In%20the%20Lighthouse%20tenant%2C%20he%20can%20not%20see%20who%20is%20assigned%2C%20even%20though%20he%20has%20privileges'%20in%20the%20customer%20tenant.%26nbsp%3B%20Assigning%20Directory%20Reader%20in%20the%20customer%20tenant%20does%20not%20allow%20the%20user%20to%20see%20any%20users%20assigned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489469%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709058%22%20target%3D%22_blank%22%3E%40lmpalermo%3C%2FA%3E%26nbsp%3BThat%20is%20what%20I%20would%20expect.%26nbsp%3B%20Even%20if%20you%20are%20using%20the%20same%20account%20in%20your%20own%20tenant%20and%20in%20the%20customer's%20tenant%2C%20Lighthouse%20doesn't%20check%20to%20see%20what%20rights%20that%20account%20has%20on%20the%20customer's%20tenant.%26nbsp%3B%20It%20only%20checks%20to%20see%20what%20rights%20have%20been%20granted%20via%20the%20ARM%20Template%20used%20to%20enable%20Lighthouse%20(and%20you%20cannot%20assign%20Directory%20Reader%20via%20Lighthouse).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20to%20assign%20customers%20to%20incidents%2C%20then%20Lighthouse%20will%20not%20work%20for%20you%20and%20you%20will%20need%20to%20login%20to%20the%20customer's%20tenant%20directly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489551%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489551%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20what%20we%20expected.%26nbsp%3B%20So%20we%20wouldn't%20be%20able%20to%20see%20Owner%20either%2C%20correct%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Users.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F201106iE963835419E46E2B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Users.png%22%20alt%3D%22Users.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1491943%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20with%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1491943%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709058%22%20target%3D%22_blank%22%3E%40lmpalermo%3C%2FA%3E%26nbsp%3BThat%20is%20correct.%26nbsp%3B%20You%20don't%20have%20permission%20to%20translate%20the%20GUID%20to%20a%20username%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We have deployed Azure Lighthouse to manage Azure Sentinel with Azure Sentinel Contributor and Azure Logic App Contributor roles.  we can access client's Sentinel.

We've got a few incidents now. we can click on the investigate which shows a nice graph and all, but we have some limitations.

 

  • We can't expand entities like users we just get AADUSERID: 5xxxx-xxxxxx-xx and FRIENDLYNAME: 5xxxx-xxxx-xxxxx but not the actual user name.
  • We get basic IP information, no hostnames 
  • We can't assign the incident to client users (only our tenant users), likely because we're missing the permission to list tenant users ?
8 Replies
1. From which Log Analytics Table does that data come from, or which Alert (or is a custom one) is the Incident generated? Is it Signinlogs?
2. see #1

@Clive Watson 

 

. From which Log Analytics Table does that data come from, or which Alert (or is a custom one) is the Incident generated? Is it Signinlogs?

 

this is an alert from Firewall related to Key vault access .  this is not custom one 

 

so my main issues are the i am using lighthouse to access customers sentinel and i can not see customers users when i want to assign an incident. so wondering if this is not possible at the moment or i need to do some role to do this.     

 

second is that when i investigate an incident I can not see the user name of the account involved in that incident. is this also related to the some permission.

@fm1984 We are having the same with seeing the customer's user.  Have you found a role or another solution to solve this issue?

@fm1984 In regards to the 3rd bullet point, you are correct that Azure Lighthouse will not be able to assign local users to an Incident. From my research, this would require "Directory Reader" rights that can only be granted at the Azure AD level and not through Lighthouse.

@Gary Bushey 

Thanks for the info.  This is what we are seeing.  In the customer tenant, security user can see who is assigned an incident.  In the Lighthouse tenant, he can not see who is assigned, even though he has privileges' in the customer tenant.  Assigning Directory Reader in the customer tenant does not allow the user to see any users assigned.

@lmpalermo That is what I would expect.  Even if you are using the same account in your own tenant and in the customer's tenant, Lighthouse doesn't check to see what rights that account has on the customer's tenant.  It only checks to see what rights have been granted via the ARM Template used to enable Lighthouse (and you cannot assign Directory Reader via Lighthouse).

 

If you need to assign customers to incidents, then Lighthouse will not work for you and you will need to login to the customer's tenant directly.

@Gary Bushey 

 

That is what we expected.  So we wouldn't be able to see Owner either, correct?

Users.png

@lmpalermo That is correct.  You don't have permission to translate the GUID to a username