SOLVED

Multiple vendor monitoring single Azure sentinel console

%3CLINGO-SUB%20id%3D%22lingo-sub-2390687%22%20slang%3D%22en-US%22%3EMultiple%20vendor%20monitoring%20single%20Azure%20sentinel%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2390687%22%20slang%3D%22en-US%22%3E%3CP%3ETeam%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20possibility%20to%20monitor%20the%20same%20Azure%20Sentinel%20console%20from%20multiple%20vendors%20(%20vendor%20will%20monitor%20only%20the%20logs%20ingested%20by%20the%20log%20sources%20managed%20by%20vendor%20)%20while%20restricting%20them%20to%20view%20the%26nbsp%3B%20logs%20generated%20by%20the%20another%20vendor%20managed%20devices%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETable%20level%20and%20Resource%20RBAC%20would%20restrict%20the%20analyst%20to%20have%20a%20view%20of%20Azure%20Sentinel%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2390876%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20vendor%20monitoring%20single%20Azure%20sentinel%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2390876%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F613764%22%20target%3D%22_blank%22%3E%40pavankemi%3C%2FA%3E%26nbsp%3BThere%20are%20two%20ways%20to%20do%20this%20(and%20I%20am%20not%20sure%20Azure%20Lighthouse%20would%20work%20correctly)%3C%2FP%3E%3CP%3E1)%20Use%20Azure%20Lighthouse%20to%20allow%20access%20to%20your%20environment%20from%20the%202%20vendors.%26nbsp%3B%20One%20vendor%20would%20have%20all%20the%20needed%20rights%20and%20the%20second%20would%20only%20use%20the%20Azure%20Sentinel%20Reader%20role.%26nbsp%3B%20Then%2C%20and%20this%20is%20the%20part%20I%20am%20not%20sure%20would%20work%20since%20I%20have%20not%20tested%20it%2C%20setup%20the%20Table%20Level%20RBAC%20but%20instead%20of%20using%20a%20custom%20role%2C%20use%20the%20Azure%20Sentinel%20Reader%20role%20to%20limit%20what%20can%20be%20seen.%3C%2FP%3E%3CP%3E2)%20Either%20create%20accounts%20for%20the%20various%20people%20on%20your%20environment%20or%20use%20B2B%20and%20then%20create%20the%20custom%20roles%20to%20use%20with%20table%20level%20RBAC.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2391091%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20vendor%20monitoring%20single%20Azure%20sentinel%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391091%22%20slang%3D%22en-US%22%3EThanks%20Gary%20for%20the%20quick%20response.%20From%20your%20response%20second%20vendor%20uses%20Azure%20Sentinel%20Reader%20Role.%20This%20vendor%20also%20need%20to%20work%20on%20the%20alerts%20generated%20from%20the%20device%20managed%20by%20them%20and%20create%20any%20analytic%20rules%20on%20the%20devices%20managed%20by%20them.%20How%20can%20this%20be%20achieved%3F%3C%2FLINGO-BODY%3E
Contributor

Team,

 

Is there a possibility to monitor the same Azure Sentinel console from multiple vendors ( vendor will monitor only the logs ingested by the log sources managed by vendor ) while restricting them to view the  logs generated by the another vendor managed devices?

 

Table level and Resource RBAC would restrict the analyst to have a view of Azure Sentinel console.

 

Thanks in advance

3 Replies

@pavankemi There are two ways to do this (and I am not sure Azure Lighthouse would work correctly)

1) Use Azure Lighthouse to allow access to your environment from the 2 vendors.  One vendor would have all the needed rights and the second would only use the Azure Sentinel Reader role.  Then, and this is the part I am not sure would work since I have not tested it, setup the Table Level RBAC but instead of using a custom role, use the Azure Sentinel Reader role to limit what can be seen.

2) Either create accounts for the various people on your environment or use B2B and then create the custom roles to use with table level RBAC.

Thanks Gary for the quick response. From your response second vendor uses Azure Sentinel Reader Role. This vendor also need to work on the alerts generated from the device managed by them and create any analytic rules on the devices managed by them. How can this be achieved?
best response confirmed by pavankemi (Contributor)
Solution

@pavankemi For that to work you would need to use the 2nd option and setup custom roles that can then be used in the Table level RBAC.   It should be noted that all users will be able to see all incidents in the environment and if they can modify one they can modify all.

 

Depending on what data sources are required for all the queries, you may want to see about using 2 different Azure Sentinel environments and use Azure Lighthouse to be able to see both in one view for the people that need to see all of the incidents.