Sentinel Workbooks - how to allow HelpDesk visibility

%3CLINGO-SUB%20id%3D%22lingo-sub-1254165%22%20slang%3D%22en-US%22%3ESentinel%20Workbooks%20-%20how%20to%20allow%20HelpDesk%20visibility%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1254165%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20enable%20the%20HelpDesk%2FSupport%20folks%20to%20have%20visibility%20of%20the%20Workbooks%20(Dashboards)%20so%20that%20they%20can%20see%20details%20around%20Azure%20MFA%20%26amp%3B%20Insecure%20Protocol%20usage%2C%20etc...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20best%20way%20of%20achieving%20this%20while%20ensuring%20that%20the%20same%20users%20don't%20have%20full%20access%20to%20ALL%20of%20Sentinel%3F%20These%20users%20need%20access%2Fvisibility%20to%20the%20Workbooks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thought%20was%20to%20use%20the%20%22Workbooks%22%20from%20the%20Azure%20Portal%20under%20AAD%20%26gt%3B%20Monitoring%20location%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FWorkbooks%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FWorkbooks%3C%2FA%3E%3C%2FP%3E%3CP%3EBut%20this%20seems%20to%20pointing%20to%20a%20different%20Log%20Analytics%20workspace%20instance%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20there%20a%20way%20of%20achieving%20this%20via%20RBAC%20or%20Roles%20within%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20make%20sense%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1254185%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20Workbooks%20-%20how%20to%20allow%20HelpDesk%20visibility%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1254185%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIt%20almost%20looks%20like%20the%20best%20place%20to%20do%20this%20is%20straight%20out%20of%20the%20Log%20Anaytics%20page%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThen%20share%20from%20there%3F%20Or%20is%20there%20a%20better%20way%20to%20do%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1255325%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20Workbooks%20-%20how%20to%20allow%20HelpDesk%20visibility%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1255325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3BYour%20Helpdesk%20crew%20will%20need%20at%20least%26nbsp%3B%3CSPAN%3EAzure%20Sentinel%20reader%20and%20Log%20Analytics%20reader%20roles%20to%20view%20the%20Workbook.%20Then%20you%20can%20just%20provide%20them%20the%20%22share%22%20link%20for%20each%20Workbook%20you%20want%20them%20to%20have%20access%20to.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

We are trying to enable the HelpDesk/Support folks to have visibility of the Workbooks (Dashboards) so that they can see details around Azure MFA & Insecure Protocol usage, etc...

 

What is the best way of achieving this while ensuring that the same users don't have full access to ALL of Sentinel? These users need access/visibility to the Workbooks.

 

One thought was to use the "Workbooks" from the Azure Portal under AAD > Monitoring location:

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks

But this seems to pointing to a different Log Analytics workspace instance?

 

Or is there a way of achieving this via RBAC or Roles within Sentinel?

 

Does this make sense?

2 Replies
Highlighted

It almost looks like the best place to do this is straight out of the Log Anaytics page?

Then share from there? Or is there a better way to do this?

Highlighted

@David Caddick Your Helpdesk crew will need at least Azure Sentinel reader and Log Analytics reader roles to view the Workbook. Then you can just provide them the "share" link for each Workbook you want them to have access to.