Managing the permissions of the workspace

Before we connect and store data in the workspace and enable Azure Sentinel to carry out analytics on the data, let's review the options to secure access to this new resource. Azure provides three main levels of access to resources:

• Owner: Has the highest level of access to resources
• Contributor: Can create and modify resources, but cannot grant or revoke access
• Reader: Can view all resources

These permissions can be granted at four different levels:

• Subscription: Highest level of access, applies to all resources within the subscription
• Resource group: Applies to the specific resource group, which may contain multiple workspaces
• Workspace: Applies only to the specific workspace
• Table-level RBAC: Applies to individual tables within the log

  Table-Level RBAC

  While there is no user interface available to set permissions on individual tables within the log, you can create Azure custom roles to set these permissions. See https://docs.microsoft.com/en-us/azure/azure- monitor/platform/manage-access#table-level-rbac for more information on how to do this.

Permissions can be applied using built-in roles, or you can make a custom role for specific access if you need to be more granular. To make this simpler, there are several built-in user roles we recommend you use in order to manage access to Log Analytics for the purpose of using Azure Sentinel, and we recommend you apply these to the specific resource group used for Azure Sentinel:

• Engineers developing new queries and data connectors:

  a) Azure Sentinel Contributor: Provides the ability to create and edit dashboards, analytics rules, and other Azure Sentinel resources

  b) Log Analytics Reader: Provides read-only visibility to all Azure resources and Azure Sentinel logs

• Analysts running daily operations:

  a) Azure Sentinel Responder: Provides the ability to manage incidents, view data, workbooks, and other Azure Sentinel resources

  b) Log Analytics Reader: Provides read-only visibility to all Azure resources and Azure Sentinel logs

If additional permissions are required, keep to the idea of providing the minimal permissions and applying only the specific resources required. It may take some trial and error to get the right outcome, but it is a safer option than providing broad and excessive permissions. For further information, please take a look at the following article:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access