cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Table Level RBAC In Microsoft Sentinel
By
Yaniv Shasha
Published Oct 30 2019 01:17 AM 27.7K Views
Yaniv Shasha
Microsoft
‎Oct 30 2019 01:17 AM

Table Level RBAC In Microsoft Sentinel

‎Oct 30 2019 01:17 AM

Table level RBAC allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions is now available for Log analytics and for Microsoft sentinel.

 

Earlier this year, my colleague @Tiander Turpijn published a great post on Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace 

His post shares in great detail the architecture and confederation for centralizing log analytics workspace vs multi workspaces in Microsoft Sentinel and Azure security center.

On this blog post, we will review how the Table level RBAC lets you ingest your collected data into a centralize workspace and still keep your data segregate for a specific user or group.

 

Example use case

Contoso installed several Windows servers and wants to send their performance logs into a centralized workspace that combines Security logs and operational logs.
The Contoso OPS team that manage the performance monitor workload in the organization need access only to the performance log table and not to Other sensitive data like the security events logs that store on the same workspace.

 

Configure RBAC table Level Access

To configure the RBAC table level access we need to:

 

  1. Define a RBAC custom role by creating custom JSON file that looks like this:

 

 

{
    "Name": "Contoso Performance Monitor Team",
    "Id": null,
    "IsCustom": true,
    "Description": "Enable users to monitor Linux servers performance logs",
    "Actions": [
        "Microsoft.OperationalInsights/workspaces/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/Perf/read"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
       "/subscriptions/8f153238-e602-xxxx-xxxx-3043fbe50918"
    ]
  }

 

 

 

2. Add the custom role to our subscription, run the above PS command New-AzRoleDefinition and Point to the custom role JSON file from the preview step.

 

To run AZ PowerShell commands first install the AZ PS module

 

 

 

New-AzRoleDefinition -InputFile "C:\Users\yanivsh\OneDrive\Demos\Custom_RBAC.json"


Name             : Perf Monitor Team
Id               : ab403341-d1f6-4cea-ae97-aea203b895a1
IsCustom         : True
Description      : Enable users to monitor Linux server performance logs
Actions          : {Microsoft.OperationalInsights/workspaces/read, Microsoft.OperationalInsights/workspaces/query/read, Microsoft.OperationalInsights/workspaces/query/Perf/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/8f153238-e602-427e-a7c0-xxxxxxx50918}

 

 

 

 

3. Add user that part of the OPs team to the new custom role a at the subscription level:

 

IAM.png

4. When Ops user opens Log Analytics logs tab and queries the pref table he can retrieve the results:

 

perf_take50.png

 

When the same user tries to query the SecurityEvent table or any other tables in Microsoft Sentinel workspace, no results found.

 

SecurityEvent.png

 

In this blog post, we reviewed the benefit of RBAC table permission and how to configure it in a real-Life scenario.

This feature can leverage Azure users to send their collected data to a centralize workspace and enjoy The advance analytic, hunting and ML and keep their data segregation.

 

9 Comments
Pavan_Gelli1910
Brass Contributor
‎Mar 30 2020 09:55 AM
‎Mar 30 2020 09:55 AM

@Yaniv ShashaGood article and explanation is crystal clear. 

0 Likes
Like
Guy_P
Microsoft
‎Apr 13 2020 03:20 AM
‎Apr 13 2020 03:20 AM

Hi @Yaniv Shasha 

Please could you explain why we grant the sentinel reader permission at the sub level and not at the RG?

Thanks alot,

Guy

0 Likes
Like
Yaniv Shasha
Microsoft
‎Apr 13 2020 11:38 AM
‎Apr 13 2020 11:38 AM

@Guy_P your comment is relevant and current for must of the cases.

If the need is only to retrieve the logs so RG level RBAC is ok.

but if your playbook or workbook ii on other RG's so you need wider permission than the subscription.

Ashok42
Copper Contributor
‎Apr 21 2020 10:54 PM
‎Apr 21 2020 10:54 PM

Very interesting and useful use case !!! 

0 Likes
Like
dparis
Copper Contributor
‎Jun 03 2020 12:10 PM
‎Jun 03 2020 12:10 PM

Hi @Yaniv Shasha, thank you for your article.

 

I'd like to ask you if you faced any issues when configuring RBAC to tables.

I have faced several issues when I have applied permissions to a custom role, where the users inside of this role are only allowed query-specific tables.

The defined users inside of this custom role don't have access to the sentinel subscription, only to the log-analytics workspace, until here everything is working as expected.

 

When they try to access the data inside of log-analytics workspace, they started to receiving issues with the permissions even with the correct permissions, now this is fixed but I'm having another issue and is related to access to the Azure Diagnostics data.

The users have permissions to access 3 tables one of these tables is the Azure Diagnostics when they try to query it no data is displayed but for the remaining tables they are able to see the data.

 

Any thoughts on why this is happening?

 

Thank you.

D.

0 Likes
Like
Ked_Mardemootoo
Copper Contributor
‎Jun 03 2021 07:59 AM
‎Jun 03 2021 07:59 AM

Great article @Yaniv Shasha. I'd like to know whether it's possible to go one step deeper and limit access to specific rows? I know there's no way to do it natively, but maybe there's a hack I can consider, other than having specific logs in custom tables based on access level etc.

0 Likes
Like
Kevin_Eldredge
Microsoft
‎Sep 23 2022 08:28 AM
‎Sep 23 2022 08:28 AM

Can RBAC be used to restrict say a team that is responsible for maintaining the infrastructure of the Sentinel instance from seeing any data/incident/alert that would be visible in the actual Sentinel instance?

0 Likes
Like
NemanjaSerafimovic
Copper Contributor
‎Feb 28 2023 04:28 AM
‎Feb 28 2023 04:28 AM

Great article, thanks!

0 Likes
Like
mbbhimji
Copper Contributor
‎Apr 11 2024 06:55 AM
‎Apr 11 2024 06:55 AM

A question can this be setup for tables like the SecurityEvent and SecurityAlert table.

 

I did the following and could not get it to work.

 

{
"Name": "Test Windows Security Logs Table Access",
"Id": null,
"IsCustom": true,
"Description": "Enable users to monitor WIndows servers Security Events and Alerts",
"Actions": [
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/SecurityAlert/read",
"Microsoft.OperationalInsights/workspaces/query/SecurityEvent/read"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/##################################"
]
}

0 Likes
Like
Co-Authors
Version history
Last update:
‎Nov 02 2021 12:08 AM
Updated by: