Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1301463%22%20slang%3D%22en-US%22%3EControlling%20access%20to%20Azure%20Sentinel%20Data%3A%20Resource%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1301463%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--1359174258%22%20id%3D%22toc-hId--1359174256%22%3EOverview%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20no%20organization%2C%20everyone%20is%20allowed%20to%20see%20all%20information.%20The%20same%20is%20true%20for%20the%20data%20collected%20by%20your%20SIEM%20system.%20Luckily%2C%20Azure%20Sentinel%20has%20the%20tools%20needed%20to%20limit%20such%20access.%20The%20primary%20methods%20to%20enable%20such%20role-based%20access%20to%20control%20to%20data%2C%20or%20data%20RBAC%20for%20short%2C%20are%20either%20to%20split%20your%20Azure%20Sentinel%20implementation%20into%20multiple%20workspaces%20or%20to%20use%20Resource%20RBAC.%20In%20this%20blog%20post%2C%20I%20discuss%20when%20you%20should%20use%20each%20of%20those%20methods%20and%20describe%20how%20to%20implement%20the%20latter.%20To%20learn%20more%20about%20using%20multiple%20workspaces%20in%20Azure%20Sentinel%2C%20you%20review%20out%20Azure%20Sentinel%20architecture%20webinar%20(%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2F_mm3GNwPBHU%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EYouTube%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2F_mm3GNwPBHU%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ESlides%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E)%20or%20get%20deeper%20listening%20to%20the%20forthcoming%20Azure%20Sentinel%20for%20MSSPs%20webinar%20(register%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fforms.office.com%2FPages%2FResponsePage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUNlI1UjZJTzlCM0Q2M1dNMk1NQjJSTFM4OC4u%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EFor%20completeness%2C%20there%20are%20two%20additional%20methods%20for%20controlling%20access%20to%20data%20in%20Azure%20Sentinel%2C%20both%20serve%20well%20some%20use%20cases%20but%20are%20less%20general%20and%20which%20I%20don't%20discuss%20in%20detail%20in%20this%20post%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftable-level-rbac-in-azure-sentinel%2Fba-p%2F965043%22%20target%3D%22_blank%22%3ETable%20level%20RBAC%3C%2FA%3E%26nbsp%3Benables%20you%20to%20set%20access%20control%20for%20each%20table%20in%20the%20Azure%20Sentinel%20workspace.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20You%20can%20provide%20access%20to%20data%20using%20Workbooks%20and%20use%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fworkbooks-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EWorkbook%20access%20permissions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bto%20control%20who%20has%20access%20to%20a%20workbook.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ELastly%2C%20it%20is%20worth%20mentioning%20the%20ability%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Froles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Econtrol%20access%20to%20the%20different%20features%20in%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20Azure%20Sentinel%20feature%20RBAC%20is%20typically%20used%20to%20differentiate%20between%20roles%20in%20the%20SOC%2C%20rather%20than%20to%20control%20access%20to%20data.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1128338575%22%20id%3D%22toc-hId-1128338577%22%3EUnderstanding%20Resource%20RBAC%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EWhen%20using%20resource%20RBAC%2C%20users%20who%20have%20access%20to%20the%20Azure%20Sentinel%20workspace%20can%20typically%20view%20all%20the%20data.%20Resource%20RBAC%20helps%20by%20enabling%20users%2C%20let's%20call%20them%20none%20SOC%20users%2C%20who%20do%20not%20have%20access%20to%20the%20workspace%20to%20view%20telemetry%20collected%20for%20resources%20they%20have%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%23resource-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Elog%20reader%20permissions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bfor.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ENone%20SOC%20users%20can%20view%20logs%20by%20navigating%20to%20a%20resource%20they%20have%20log%20read%20access%20to%2C%20or%20to%20a%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Fmanagement%2Fmanage-resource-groups-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Eresource%20group%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bcontaining%20it%20and%20use%20the%20%22logs%22%20and%20%22workbooks%22%20options%20to%20query%20the%20data%20and%20visualize%20it%2C%20respectively%20as%20demonstrated%20below%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22resource%20group.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183830i599BEC6F56E76B52%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22resource%20group.gif%22%20alt%3D%22resource%20group.gif%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAlternatively%2C%20none%20SOC%20users%20can%20navigate%20to%20Azure%20Monitor%20and%20use%20the%20%22Logs%22%20or%20%22Workbooks%22%20options.%20Using%20Azure%20Monitor%20enables%20the%20user%20to%20select%20the%20scope%20of%20the%20query%20or%20workbook%2C%20spanning%20multiple%20resource%20groups%20and%20optionally%20selecting%20specific%20resources.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Monitor.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183829i3F5311B23056A8AE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Monitor.png%22%20alt%3D%22Monitor.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EA%20third%20option%20is%20to%20create%20an%20empty%20Log%20Analytics%20workspace%2C%20without%20data%20for%20the%20none%20SOC%20users%20to%20use.%20In%20this%20case%2C%20users%20need%20to%20know%20in%20what%20workspaces%20the%20data%20is%20stored%20and%20use%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ecross-workspace%20queries%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bto%20access%20the%20data.%20While%20this%20sounds%20complicated%2C%20it%20has%20the%20advantage%20that%20this%20workspace%20can%20host%20workbooks%2C%20saved%20KQL%20queries%2C%20and%20saves%20KQL%20functions%20to%20get%20the%20user%20starting.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--679115888%22%20id%3D%22toc-hId--679115886%22%3EWhen%20is%20resource%20RBAC%20useful%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20resource%20RBAC%20description%20above%20implies%20a%20significant%20distinction.%20In%20essence%2C%20for%20a%20SOC%20user%20to%20get%20full%20Azure%20Sentinel%20experience%2C%20you%20need%20permissions%20for%20the%20workspace%2C%20which%20implies%20access%20to%20all%20data.%20Resource%20RBAC%20enables%20external%20users%20to%20get%20access%20to%20their%20data%2C%20but%20not%20a%20full%20Azure%20Sentinel%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20summarize%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22104%22%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22255%22%3E%3CP%3E%3CSTRONG%3ESOC%20team%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22265%22%3E%3CP%3E%3CSTRONG%3ENone%20SOC%20team%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22104%22%3E%3CP%3E%3CSTRONG%3EPermissions%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22255%22%3E%3CP%3ETo%20the%20workspace%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22265%22%3E%3CP%3ETo%20specific%20resources%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22104%22%3E%3CP%3E%3CSTRONG%3EData%20access%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22255%22%3E%3CP%3EAll%20the%20data%20in%20the%20workspace%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22265%22%3E%3CP%3EOnly%20data%20for%20resources%20the%20team%20is%20authorized%20to%20access%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22104%22%3E%3CP%3E%3CSTRONG%3EExperience%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22255%22%3E%3CP%3EAzure%20Sentinel%20experience%20(possibly%20limited%20by%20the%20functional%20permissions%20the%20user%20has)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22265%22%3E%3CP%3EQuery%20(%E2%80%9CLogs%E2%80%9D)%20and%20Workbooks%20only%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20use%20cases%20for%20which%20resource%20RBAC%20does%20not%20provide%20a%20solution.%20One%20such%20scenario%20is%20when%20a%20subsidiary%20has%20a%20security%20operations%20team%20which%20requires%20a%20full%20Azure%20Sentinel%20experience.%20In%20this%20case%2C%20using%20a%20multi-workspace%20architecture%2C%20as%20described%20above%2C%20is%20the%20preferred%20option.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20challenge%20is%20data%20RBAC%2C%20which%20is%20not%20based%20on%20resources%2C%20for%20example%2C%20limiting%20access%20based%20on%20the%20user%20an%20event%20references.%20You%20might%20encounter%20this%20requirement%20when%20trying%20to%20limit%20access%20to%20Office%20365%20logs%20based%20on%20the%20subsidiary%20of%20the%20user.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20full%20solution%20for%20this%20would%20be%20to%20use%20custom%20collection%2C%20as%20described%20later.%20A%20more%20straightforward%20solution%2C%20even%20if%20partial%2C%20would%20be%20to%20enrich%20the%20relevant%20log%20with%20the%20subsidiary%20information%2C%20as%20described%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-data-enrichment-walk-through-with-scripting-kql%2Fba-p%2F1288805%22%20target%3D%22_blank%22%3EChris%20Boehm's%20blog%20post%3C%2FA%3E.%20Once%20enriched%2C%20use%20the%20information%20in%20workbooks%2C%20so%20that%20each%20none%20SOC%20team%20gets%20access%20to%20a%20workbook%20pre-filtered%20to%20display%20only%20its%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1808396945%22%20id%3D%22toc-hId-1808396947%22%3EImplementing%20Resource%20RBAC%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20best%20practice%20for%20implementing%20resource%20RBAC%20requires%20the%20following%20steps%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20Enable%20resource%20RBAC%20for%20the%20workspace%20as%20described%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ehere%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20Create%20a%20resource%20group%20for%20each%20none%20SOC%20team%20and%20assign%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%23resource-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Elog%20reader%20permissions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bfor%20team%20members.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20Follow%20the%20guidelines%20below%20for%20each%20event%20type%20to%20group%20resources%20to%20the%20team%20resource%20groups%20you%20created%20above%2C%20and%20tag%20events%20with%20the%20right%20resource%20ID.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EOnce%20you%20completed%20those%20steps%2C%20team%20members%20have%20access%20to%20their%20logs%20through%20the%20%22logs%22%20and%20%22workbooks%22%20options%20of%20their%20team%20resource%20group.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EIn%20some%20cases%2C%20especially%20when%20collecting%20from%20Azure%20resources%2C%20the%20resource%20group%20assignment%20must%20follow%20a%20different%20methodology%20preventing%20you%20from%20grouping%20resources%20to%20the%20team%20resource%20groups%20described%20above.%20In%20those%20cases%2C%20using%20the%20alternatives%20suggested%20above%20for%20none%20SOC%20team%20use%2C%20namely%20a%20dedicated%20workspace%20or%20through%20Azure%20Monitor%2C%20work.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-942482%22%20id%3D%22toc-hId-942484%22%3ETagging%20events%20for%20Azure%20resources%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20Azure%20resources%2C%20whether%20VMs%20using%20the%20Log%20Analytics%20agent%20or%20PaaS%20services%2C%20send%20telemetry%20to%20Azure%20Sentinel%2C%20the%20log%20records%20are%20automatically%20tagged%20with%20the%20resource%20ID%20of%20the%20originating%20resource.%20Ideally%2C%20group%20the%20resource%20under%20the%20resource%20group%20you%20created.%20If%20you%20cannot%20do%20that%2C%20make%20sure%20that%20the%20none%20SOC%20team%20has%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%23resource-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Elog%20reader%20permission%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bto%20the%20resources%20themselves.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1806511981%22%20id%3D%22toc-hId--1806511979%22%3ETagging%20events%20with%20Collector%20VMs%3A%20CEF%2C%20Syslog%2C%20and%20WEF*%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20collecting%20events%20using%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECEF%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ESyslog%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%20or%20WEF*%2C%20a%20collector%20VM%20is%20used%20to%20collect%20events%20from%20multiple%20source%20systems.%20For%20example%2C%20when%20a%20Syslog%20collector%20VM%20listens%20to%20different%20sources%20sending%20Syslog%20and%20forwards%20it%20to%20Azure%20Sentinel%2C%20the%20collector%20VM%20resource%20ID%20is%20assigned%20to%20all%20events.%20When%20using%20an%20on-prem%20or%20another%20cloud%20collector%20VM%2C%20you%20can%20ensure%20it%20has%20a%20resource%20ID%20by%20implementing%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-arc%2Fservers%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Arc%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAs%20a%20result%2C%20you%20need%20to%20ensure%20that%20separate%20collector%20VMs%20are%20processing%20events%20that%20belong%20to%20different%20none%20SOC%20teams.%20So%20that%20all%20the%20Syslog%20events%20which%20belong%20to%20team%20A%20are%20collected%20using%20collector%20VM%20A.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ETo%20summarize%2C%20to%20allow%20a%20user%20group%20access%20to%20its%20data%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20Deploy%20a%20separate%20collector%20VM%20(or%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fscaling-up-syslog-cef-collection%2Fba-p%2F1185854%22%20target%3D%22_blank%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EVM%20scale%20set%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E)%20to%20collect%20events%20belonging%20to%20this%20user%20group.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20Associate%20the%20collector%20VM%20with%20the%20resource%20group%20allocated%20to%20this%20user%20group%20above.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%20If%20an%20on-prem%20collector%20VM%2C%20enroll%20it%20in%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-arc%2Fservers%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Arc%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E*%20WEF%20is%20in%20private%20preview%20at%20this%20time.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-681000852%22%20id%3D%22toc-hId-681000854%22%3EResource%20RBAC%20for%20custom%20collection%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20collecting%20using%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ELog%20Analytics%20data%20collector%20API%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%20you%20can%20assign%20to%20events%20a%20resource%20ID%20using%20a%20special%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%23request-headers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EHTTP%20header%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ex-ms-AzureResourceId%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20As%20you%20may%20expect%2C%20the%20resource%20ID%20must%20be%20a%20real%20resource%20ID.%20So%20which%20resource%20ID%20should%20you%20use%3F%20While%20you%20can%20use%20any%20valid%20resource%20ID%2C%20the%20best%20practice%20is%20to%20use%20the%20ID%20of%20the%20resource%20group%20you%20created%20for%20the%20none%20SOC%20team%2C%20which%20the%20events%20should%20be%20accessible%20by.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1301463%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20no%20organization%2C%20everyone%20is%20allowed%20to%20see%20all%20information.%20The%20same%20is%20true%20for%20the%20data%20collected%20by%20your%20SIEM%20system.%20Luckily%2C%20Azure%20Sentinel%20has%20the%20tools%20needed%20to%20limit%20such%20access.%20Learn%20about%20them%20in%20this%20blog%20post.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Overview

 

In no organization, everyone is allowed to see all information. The same is true for the data collected by your SIEM system. Luckily, Azure Sentinel has the tools needed to limit such access. The primary methods to enable such role-based access to control to data, or data RBAC for short, are either to split your Azure Sentinel implementation into multiple workspaces or to use Resource RBAC. In this blog post, I discuss when you should use each of those methods and describe how to implement the latter. To learn more about using multiple workspaces in Azure Sentinel, you review out Azure Sentinel architecture webinar (YouTubeSlides) or get deeper listening to the forthcoming Azure Sentinel for MSSPs webinar (register here).

 

For completeness, there are two additional methods for controlling access to data in Azure Sentinel, both serve well some use cases but are less general and which I don't discuss in detail in this post:

 

  1. Table level RBAC enables you to set access control for each table in the Azure Sentinel workspace.  
  2. You can provide access to data using Workbooks and use Workbook access permissions to control who has access to a workbook.

 

Lastly, it is worth mentioning the ability to control access to the different features in Azure Sentinel. Azure Sentinel feature RBAC is typically used to differentiate between roles in the SOC, rather than to control access to data.

 

Understanding Resource RBAC

 

When using resource RBAC, users who have access to the Azure Sentinel workspace can typically view all the data. Resource RBAC helps by enabling users, let's call them none SOC users, who do not have access to the workspace to view telemetry collected for resources they have log reader permissions for.

 

None SOC users can view logs by navigating to a resource they have log read access to, or to a resource group containing it and use the "logs" and "workbooks" options to query the data and visualize it, respectively as demonstrated below:

 

resource group.gif 

 

Alternatively, none SOC users can navigate to Azure Monitor and use the "Logs" or "Workbooks" options. Using Azure Monitor enables the user to select the scope of the query or workbook, spanning multiple resource groups and optionally selecting specific resources.

 

Monitor.png

 

A third option is to create an empty Log Analytics workspace, without data for the none SOC users to use. In this case, users need to know in what workspaces the data is stored and use cross-workspace queries to access the data. While this sounds complicated, it has the advantage that this workspace can host workbooks, saved KQL queries, and saves KQL functions to get the user starting.

 

When is resource RBAC useful?

 

The resource RBAC description above implies a significant distinction. In essence, for a SOC user to get full Azure Sentinel experience, you need permissions for the workspace, which implies access to all data. Resource RBAC enables external users to get access to their data, but not a full Azure Sentinel experience.

 

To summarize:

 

 

SOC team

None SOC team

Permissions

To the workspace

To specific resources

Data access

All the data in the workspace

Only data for resources the team is authorized to access

Experience

Azure Sentinel experience (possibly limited by the functional permissions the user has)

Query (“Logs”) and Workbooks only

 

There are use cases for which resource RBAC does not provide a solution. One such scenario is when a subsidiary has a security operations team which requires a full Azure Sentinel experience. In this case, using a multi-workspace architecture, as described above, is the preferred option.

 

Another challenge is data RBAC, which is not based on resources, for example, limiting access based on the user an event references. You might encounter this requirement when trying to limit access to Office 365 logs based on the subsidiary of the user.

 

The full solution for this would be to use custom collection, as described later. A more straightforward solution, even if partial, would be to enrich the relevant log with the subsidiary information, as described in Chris Boehm's blog post. Once enriched, use the information in workbooks, so that each none SOC team gets access to a workbook pre-filtered to display only its data.

 

Implementing Resource RBAC

 

The best practice for implementing resource RBAC requires the following steps:

  1. Enable resource RBAC for the workspace as described here
  2. Create a resource group for each none SOC team and assign log reader permissions for team members.
  3. Follow the guidelines below for each event type to group resources to the team resource groups you created above, and tag events with the right resource ID.

 

Once you completed those steps, team members have access to their logs through the "logs" and "workbooks" options of their team resource group.

 

In some cases, especially when collecting from Azure resources, the resource group assignment must follow a different methodology preventing you from grouping resources to the team resource groups described above. In those cases, using the alternatives suggested above for none SOC team use, namely a dedicated workspace or through Azure Monitor, work.

 

Tagging events for Azure resources

 

When Azure resources, whether VMs using the Log Analytics agent or PaaS services, send telemetry to Azure Sentinel, the log records are automatically tagged with the resource ID of the originating resource. Ideally, group the resource under the resource group you created. If you cannot do that, make sure that the none SOC team has log reader permission to the resources themselves.

 

Tagging events with Collector VMs: CEF, Syslog, and WEF*

 

When collecting events using CEFSyslog, or WEF*, a collector VM is used to collect events from multiple source systems. For example, when a Syslog collector VM listens to different sources sending Syslog and forwards it to Azure Sentinel, the collector VM resource ID is assigned to all events. When using an on-prem or another cloud collector VM, you can ensure it has a resource ID by implementing Azure Arc.

 

As a result, you need to ensure that separate collector VMs are processing events that belong to different none SOC teams. So that all the Syslog events which belong to team A are collected using collector VM A.

 

To summarize, to allow a user group access to its data:

  • Deploy a separate collector VM (or VM scale set) to collect events belonging to this user group.
  • Associate the collector VM with the resource group allocated to this user group above.
  • If an on-prem collector VM, enroll it in Azure Arc.

 

* WEF is in private preview at this time.

 

Resource RBAC for custom collection

 

When collecting using the Log Analytics data collector API, you can assign to events a resource ID using a special HTTP header x-ms-AzureResourceId. As you may expect, the resource ID must be a real resource ID. So which resource ID should you use? While you can use any valid resource ID, the best practice is to use the ID of the resource group you created for the none SOC team, which the events should be accessible by.