Now available: Grant permissions directly to a playbook to operate on Azure Sentinel, instead of creating additional identities.
Azure Sentinel Logic Apps connector is the bridge between Sentinel and Playbooks, serving as the basis for incident automation scenarios. The connector requires an identity on whose behalf it will operate on Azure Sentinel. Until now, you could do one of the following: use an Azure AD user which has been assigned an Azure Sentinel RBAC role, or create a Service Principal (for example, in form of an Azure AD registered application) and grant it the Azure Sentinel RBAC role.
Each one of these options has its advantages, but also limitations: Many would prefer not to authenticate with a user to a tool that generates automated actions. It is harder to audit (for example, using the incident table) which actions have been taken on behalf of a user and which are made by the playbook. It also makes less sense to see, for example, new comments that were generated by a playbook, but appear as if a user is their author. Also, if a user leaves the organization, you need to update all the connections that use its identity.
The service principal connection type allows us to create a registered application and use it as the identity behind the connector. You can define what this app can do, who can access it and what resources can this app access. It’s easy to delete it or replace its credentials if it’s suspected to have been compromised. For these reasons it’s great from a security perspective, but it still requires managing as another identity in the cloud that has credentials and permissions which potentially others can use.
Now, with the availability of Managed Identity for the Azure Sentinel connector, you can give permissions directly to the playbook (Logic App workflow resource), so Sentinel connector actions will operate on its behalf, as if it were an independent object which has permissions on Azure Sentinel. This lowers the number of identities you have to manage and gives the power to give access directly to the resource that operates.
When you turn on this feature in the Logic App, it is registered with Azure Active Directory and represented by an object ID. This identity can be assigned an Azure RBAC role on your Sentinel Workspace. The Azure Sentinel connector is configured to operate on its behalf as the selected API connection referenced by this connector.
To start using this new capability:
Turn on managed Identity in the Logic Apps resource
Click on Save.You will get a notification that this playbook was registered with Azure Active Directory:
Also, object ID will appear:
Authenticate to Azure Sentinel Connector
Thanks to new Azure Logic Apps feature, more Azure AD-based connectors allow this as well. Currently, the following connectors support this feature:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.