Home

Least Privilege Permissions on Log Analytics Workspace for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-787504%22%20slang%3D%22en-US%22%3ELeast%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787504%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDocumentation%20on%20the%20RBAC%20design%20for%20Azure%20Sentinel%20is%20a%20little%20vague.%20I%20am%20just%20enabling%20Azure%20Sentinel%20and%20wanted%20to%20understand%20the%20least%20privilege%20permissions%20(as%20we%20share%20the%20Log%20Analytics%20workspace%20with%20the%20Ops%20team).%20What%20are%20the%20least%20privilege%20permissions%20on%20a%20log%20Analytics%20workspace%20to%20create%20%22Analytics%20alerts%22%20in%20Azure%20Sentinel%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CU%3E%3CSTRONG%3EMore%20Detail%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3EI%20have%20experimented%20with%20the%20built%20in%20roles%20%22Log%20Analytics%20Contributor%22%20and%20%22Monitor%20Contributor%22%20on%20the%20resource%20group%20of%20the%20LogAnalytics%20workspace.%20Both%20of%20these%20roles%20do%20not%20allow%20me%20to%20create%20%22Analytics%22%20-%20%22Alerts%22.%3C%2FDIV%3E%3CDIV%3EWith%20the%20on%20%22save%22%20action%20popping%20out%20with%20the%20following%20error%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%22Failed%20to%20save%20alert%20rule%201%3A12%20AM%20Failed%20to%20save%20alert%20rule%20'test'.%20Missing%20necessary%20permissions%20to%20perform%20this%20action.%22%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3EContributor%20on%20the%20LogAnalytics%20workspace%20allows%20me%20save%20the%20Analytics%20alert.%20Obviously%20trying%20to%20tie%20down%20access%20as%20tight%20as%20possible%20is%20there%20another%20built%20in%20role%20that%20I%20can%20apply%3F%20Or%20do%20I%20need%20to%20provide%20the%20Security%20operations%20team%20with%20Contributor%20access%20to%20this%20resource%2Fresource%20group%20for%20other%20things%20(e.g.%20Dashboards%2C%20etc)%3F%20%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20assistance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790395%22%20slang%3D%22en-US%22%3ERe%3A%20Least%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790395%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F284679%22%20target%3D%22_blank%22%3E%40Fergie635%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%3C%2FP%3E%0A%3CP%3EOur%20recommendation%20would%20be%20to%20give%20reader%20access%20to%20the%20resource%20group%20that%20the%20workspace%20resides%20in%20for%20the%20least%20privileges.%26nbsp%3B%20Obviously%2C%20readers%20wont%20be%20able%20to%20create%20analytics%20and%20dashboards.%26nbsp%3B%20If%20the%20team%20needs%20to%20be%20able%20to%20do%20that%20then%20give%20contributor%20to%20the%20RG%20that%20the%20workspace%20resides%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-792685%22%20slang%3D%22en-US%22%3ERe%3A%20Least%20Privilege%20Permissions%20on%20Log%20Analytics%20Workspace%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F284679%22%20target%3D%22_blank%22%3E%40Fergie635%3C%2FA%3E%26nbsp%3BMicrosoft%20has%20a%20page%20that%20lists%20a%20lot%20of%20good%20recommendations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi

 

Documentation on the RBAC design for Azure Sentinel is a little vague. I am just enabling Azure Sentinel and wanted to understand the least privilege permissions (as we share the Log Analytics workspace with the Ops team). What are the least privilege permissions on a log Analytics workspace to create "Analytics alerts" in Azure Sentinel ?

 

 More Detail

 

I have experimented with the built in roles "Log Analytics Contributor" and "Monitor Contributor" on the resource group of the LogAnalytics workspace. Both of these roles do not allow me to create "Analytics" - "Alerts".
With the on "save" action popping out with the following error:
 
"Failed to save alert rule 1:12 AM Failed to save alert rule 'test'. Missing necessary permissions to perform this action."
 
Contributor on the LogAnalytics workspace allows me save the Analytics alert. Obviously trying to tie down access as tight as possible is there another built in role that I can apply? Or do I need to provide the Security operations team with Contributor access to this resource/resource group for other things (e.g. Dashboards, etc)?  

 

Thanks in advance for your assistance. 

2 Replies
Highlighted

@Fergie635 

Hi

Our recommendation would be to give reader access to the resource group that the workspace resides in for the least privileges.  Obviously, readers wont be able to create analytics and dashboards.  If the team needs to be able to do that then give contributor to the RG that the workspace resides in.

Highlighted