Custom Permissions for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1617282%22%20slang%3D%22en-US%22%3ECustom%20Permissions%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617282%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20give%20specific%20permissions%20to%20someone%20on%20Sentinel%20like%20below%3A%3C%2FP%3E%3CP%3E-%20full%20access%20to%20Threat%20Management(Incidents%2C%20Workbooks%2C%20Hunting%2C%20Notebooks)%20and%20Logs%20section%3C%2FP%3E%3CP%3E-%20read%20only%20access%20to%20all%20other%20sections.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20this%20possible%3F%20I%20couldn't%20see%20some%20of%20these%20settings%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fresource-provider-operations%23microsoftoperationalinsights%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fresource-provider-operations.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20especially%20want%20to%20limit%20analytic%20rule%20creation%20and%20playbook%20creation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1620090%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20Permissions%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1620090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F666494%22%20target%3D%22_blank%22%3E%40Cyb3rMonk%3C%2FA%3E%26nbsp%3B%2C%20that%20is%20possible%20to%20customize%20the%20access%20as%20you%20described.%20Please%20refer%20to%20this%26nbsp%3B%3CA%20title%3D%22article%22%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F06%2F19%2Fgranting-access-to-specific-azure-sentinel-playbooks-for-specific-analysts%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%20%3C%2FA%3E%26nbsp%3Bfor%20Playbook%20custom%20access%2C%20and%26nbsp%3Bthis%26nbsp%3B%3CA%20title%3D%22doc%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fresource-provider-operations%23microsoftsecurityinsights%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edoc%3C%2FA%3E%26nbsp%3Bfor%20more%20details%20on%20Alert%20Rule%20Creation%20custom%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1620188%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20Permissions%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1620188%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419776%22%20target%3D%22_blank%22%3E%40Chi_Nguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20give%20read%20permission%20to%20analytic%20rules%20and%20playbooks%2C%20how%20can%20I%20give%20full%20permission%20to%20Hunting%20and%20Workbook%20section%3F%20I%20can't%20find%20the%20permission%20for%20the%20Hunting.%20If%20I%20give%20several%20permission%2C%20it%20will%20be%20the%20union%20of%20those%20permissions%20I%20guess%20and%20won't%20work.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

I want to give specific permissions to someone on Sentinel like below:

- full access to Threat Management(Incidents, Workbooks, Hunting, Notebooks) and Logs section

- read only access to all other sections.

 

is this possible? I couldn't see some of these settings on https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations.

 

I especially want to limit analytic rule creation and playbook creation. 

 

2 Replies
Highlighted

@Cyb3rMonk , that is possible to customize the access as you described. Please refer to this article  for Playbook custom access, and this doc for more details on Alert Rule Creation custom access.

Highlighted

@Chi_Nguyen 

 

If I give read permission to analytic rules and playbooks, how can I give full permission to Hunting and Workbook section? I can't find the permission for the Hunting. If I give several permission, it will be the union of those permissions I guess and won't work.