cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Give users access to run one specific workbook but not all of Sentinel

Lassekatten
Copper Contributor

‎Jul 20 2021 05:56 AM

‎Jul 20 2021 05:56 AM

Give users access to run one specific workbook but not all of Sentinel

Hi guys,

 

I need to create a solution that allows a few consultants to query login events on servers without giving them access to all of our SIEM data. 

 

I have created a workbook with the parameter: serverName and the simple query:

 

DeviceLogonEvents
where DeviceName contains "{serverName}" 
 
I would like for the consultants to be able to input the parameter value and then receive the results without getting access to editing the query or all of the data in Sentinel. 
 
I am wondering how I can achieve this in the easiest way possible?
 
I hope someone can be of help! :)
 
Br.
Lars
605 Views
0 Likes
1 Reply
Reply
1 Reply
Gary Bushey

‎Jul 20 2021 08:21 AM

‎Jul 20 2021 08:21 AM

Re: Give users access to run one specific workbook but not all of Sentinel

@Lassekatten One thing I can think of is to use a Watchlist that maps the users to what server(s) they can select.  You can then write a query for the server parameter that would show which server(s) they could select.

 

It appears that if the users do NOT have the Monitor Contributor role they will not be able to edit a workbook, only use it.

0 Likes
Reply