May 27 2021 02:54 AM
Team,
Is there a possibility to monitor the same Azure Sentinel console from multiple vendors ( vendor will monitor only the logs ingested by the log sources managed by vendor ) while restricting them to view the logs generated by the another vendor managed devices?
Table level and Resource RBAC would restrict the analyst to have a view of Azure Sentinel console.
Thanks in advance
May 27 2021 04:02 AM
@pavankemi There are two ways to do this (and I am not sure Azure Lighthouse would work correctly)
1) Use Azure Lighthouse to allow access to your environment from the 2 vendors. One vendor would have all the needed rights and the second would only use the Azure Sentinel Reader role. Then, and this is the part I am not sure would work since I have not tested it, setup the Table Level RBAC but instead of using a custom role, use the Azure Sentinel Reader role to limit what can be seen.
2) Either create accounts for the various people on your environment or use B2B and then create the custom roles to use with table level RBAC.
May 27 2021 05:04 AM
May 27 2021 05:10 AM
Solution@pavankemi For that to work you would need to use the 2nd option and setup custom roles that can then be used in the Table level RBAC. It should be noted that all users will be able to see all incidents in the environment and if they can modify one they can modify all.
Depending on what data sources are required for all the queries, you may want to see about using 2 different Azure Sentinel environments and use Azure Lighthouse to be able to see both in one view for the people that need to see all of the incidents.