Blog Post

Microsoft Sentinel Blog
2 MIN READ

Table Level RBAC In Microsoft Sentinel

YanivSh's avatar
YanivSh
Icon for Microsoft rankMicrosoft
Oct 30, 2019

Table level RBAC allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions is now available for Log analytics and for Microsoft sentinel.

 

Earlier this year, my colleague Tiander Turpijn published a great post on Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace 

His post shares in great detail the architecture and confederation for centralizing log analytics workspace vs multi workspaces in Microsoft Sentinel and Azure security center.

On this blog post, we will review how the Table level RBAC lets you ingest your collected data into a centralize workspace and still keep your data segregate for a specific user or group.

 

Example use case

Contoso installed several Windows servers and wants to send their performance logs into a centralized workspace that combines Security logs and operational logs.
The Contoso OPS team that manage the performance monitor workload in the organization need access only to the performance log table and not to Other sensitive data like the security events logs that store on the same workspace.

 

Configure RBAC table Level Access

To configure the RBAC table level access we need to:

 

  1. Define a RBAC custom role by creating custom JSON file that looks like this:

 

 

{
    "Name": "Contoso Performance Monitor Team",
    "Id": null,
    "IsCustom": true,
    "Description": "Enable users to monitor Linux servers performance logs",
    "Actions": [
        "Microsoft.OperationalInsights/workspaces/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/Perf/read"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
       "/subscriptions/8f153238-e602-xxxx-xxxx-3043fbe50918"
    ]
  }

 

 

 

2. Add the custom role to our subscription, run the above PS command New-AzRoleDefinition and Point to the custom role JSON file from the preview step.

 

To run AZ PowerShell commands first install the AZ PS module

 

 

 

New-AzRoleDefinition -InputFile "C:\Users\yanivsh\OneDrive\Demos\Custom_RBAC.json"


Name             : Perf Monitor Team
Id               : ab403341-d1f6-4cea-ae97-aea203b895a1
IsCustom         : True
Description      : Enable users to monitor Linux server performance logs
Actions          : {Microsoft.OperationalInsights/workspaces/read, Microsoft.OperationalInsights/workspaces/query/read, Microsoft.OperationalInsights/workspaces/query/Perf/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/8f153238-e602-427e-a7c0-xxxxxxx50918} 

 

 

 

 

3. Add user that part of the OPs team to the new custom role a at the subscription level:

 

4. When Ops user opens Log Analytics logs tab and queries the pref table he can retrieve the results:

 

 

When the same user tries to query the SecurityEvent table or any other tables in Microsoft Sentinel workspace, no results found.

 

 

In this blog post, we reviewed the benefit of RBAC table permission and how to configure it in a real-Life scenario.

This feature can leverage Azure users to send their collected data to a centralize workspace and enjoy The advance analytic, hunting and ML and keep their data segregation.

 

Updated Nov 02, 2021
Version 4.0
  • Guy_P your comment is relevant and current for must of the cases.

    If the need is only to retrieve the logs so RG level RBAC is ok.

    but if your playbook or workbook ii on other RG's so you need wider permission than the subscription.

  • Hi YanivSh 

    Please could you explain why we grant the sentinel reader permission at the sub level and not at the RG?

    Thanks alot,

    Guy

  • dparis's avatar
    dparis
    Copper Contributor

    Hi YanivSh, thank you for your article.

     

    I'd like to ask you if you faced any issues when configuring RBAC to tables.

    I have faced several issues when I have applied permissions to a custom role, where the users inside of this role are only allowed query-specific tables.

    The defined users inside of this custom role don't have access to the sentinel subscription, only to the log-analytics workspace, until here everything is working as expected.

     

    When they try to access the data inside of log-analytics workspace, they started to receiving issues with the permissions even with the correct permissions, now this is fixed but I'm having another issue and is related to access to the Azure Diagnostics data.

    The users have permissions to access 3 tables one of these tables is the Azure Diagnostics when they try to query it no data is displayed but for the remaining tables they are able to see the data.

     

    Any thoughts on why this is happening?

     

    Thank you.

    D.

  • Ked_Mardemootoo's avatar
    Ked_Mardemootoo
    Copper Contributor

    Great article YanivSh. I'd like to know whether it's possible to go one step deeper and limit access to specific rows? I know there's no way to do it natively, but maybe there's a hack I can consider, other than having specific logs in custom tables based on access level etc.

  • Can RBAC be used to restrict say a team that is responsible for maintaining the infrastructure of the Sentinel instance from seeing any data/incident/alert that would be visible in the actual Sentinel instance?

  • mbbhimji's avatar
    mbbhimji
    Copper Contributor

    A question can this be setup for tables like the SecurityEvent and SecurityAlert table.

     

    I did the following and could not get it to work.

     

    {
    "Name": "Test Windows Security Logs Table Access",
    "Id": null,
    "IsCustom": true,
    "Description": "Enable users to monitor WIndows servers Security Events and Alerts",
    "Actions": [
    "Microsoft.OperationalInsights/workspaces/read",
    "Microsoft.OperationalInsights/workspaces/query/read",
    "Microsoft.OperationalInsights/workspaces/query/SecurityAlert/read",
    "Microsoft.OperationalInsights/workspaces/query/SecurityEvent/read"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
    "/subscriptions/##################################"
    ]
    }

  • chralph's avatar
    chralph
    Copper Contributor

    mbbhimji 

    Did you try something like this:-

     

    {
      "Name": "SecurityAlert Reader",
      "IsCustom": true,
      "Description": "Can read data from the SecurityAlert table",
      "Actions": [
        "Microsoft.OperationalInsights/workspaces/query/read"
      ],
      "NotActions": [],
      "DataActions": [
        "Microsoft.OperationalInsights/workspaces/tables/SecurityAlert/query/action"
      ],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
      ]
    }