cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Multiple vendor monitoring single Azure sentinel console

pavankemi
Contributor

‎May 27 2021 02:54 AM

‎May 27 2021 02:54 AM

Multiple vendor monitoring single Azure sentinel console

Team,

 

Is there a possibility to monitor the same Azure Sentinel console from multiple vendors ( vendor will monitor only the logs ingested by the log sources managed by vendor ) while restricting them to view the  logs generated by the another vendor managed devices?

 

Table level and Resource RBAC would restrict the analyst to have a view of Azure Sentinel console.

 

Thanks in advance

366 Views
0 Likes
3 Replies
Reply
3 Replies
Gary Bushey

‎May 27 2021 04:02 AM

‎May 27 2021 04:02 AM

Re: Multiple vendor monitoring single Azure sentinel console

@pavankemi There are two ways to do this (and I am not sure Azure Lighthouse would work correctly)

1) Use Azure Lighthouse to allow access to your environment from the 2 vendors.  One vendor would have all the needed rights and the second would only use the Azure Sentinel Reader role.  Then, and this is the part I am not sure would work since I have not tested it, setup the Table Level RBAC but instead of using a custom role, use the Azure Sentinel Reader role to limit what can be seen.

2) Either create accounts for the various people on your environment or use B2B and then create the custom roles to use with table level RBAC.

0 Likes
Reply
pavankemi

‎May 27 2021 05:04 AM

‎May 27 2021 05:04 AM

Re: Multiple vendor monitoring single Azure sentinel console

Thanks Gary for the quick response. From your response second vendor uses Azure Sentinel Reader Role. This vendor also need to work on the alerts generated from the device managed by them and create any analytic rules on the devices managed by them. How can this be achieved?
0 Likes
Reply
best response confirmed by pavankemi (Contributor)
Gary Bushey

‎May 27 2021 05:10 AM

‎May 27 2021 05:10 AM

Solution

Re: Multiple vendor monitoring single Azure sentinel console

@pavankemi For that to work you would need to use the 2nd option and setup custom roles that can then be used in the Table level RBAC.   It should be noted that all users will be able to see all incidents in the environment and if they can modify one they can modify all.

 

Depending on what data sources are required for all the queries, you may want to see about using 2 different Azure Sentinel environments and use Azure Lighthouse to be able to see both in one view for the people that need to see all of the incidents.

0 Likes
Reply