0

We are in the process of implmenting Sentinel with several data sources, what is the best way to do the RBAC?

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
kay106
  • 65
  • 5

2 Answers2

1

You would just create the dashboard from Azure Sentinel and assign RBAC roles to it the same way you would with any other Resource in Azure.

The quickstart guide covers it:

  1. To create a new dashboard from scratch, select Dashboards and then +New dashboard.

  2. Select the subscription the dashboard is created in and give it a descriptive name. Each dashboard is an Azure resource like any other, and you can assign it roles (RBAC) to define and limit who can access.

  3. To enable it to show up in your dashboards to pin visualizations to, you have to share it. Click Share and then Manage users.

  4. Use the Check access and Role assignments as you would for any other Azure resource. For more information, see Share Azure dashboards by using RBAC.

Let me know if this helps.

Marilee Turscak - MSFT
  • 7,367
  • 3
  • 18
  • 28
1

There are two parts to this. The first is using RBAC to secure your Azure Sentinel. This document has more information on that: https://learn.microsoft.com/en-us/azure/sentinel/roles

The second part is to secure the logs within your Log Analytics workspace. This will control what information those users that have access to your Azure Sentinel can see. So if you want only certain Security Analysts to see your O365 logs you can control it through table level RBAC in the logs.

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Table-Level-RBAC-In-Azure-Sentinel/ba-p/965043

Gary Bushey
  • 19
  • 2
  • This answer is more complete then the accepted answer as Sentinel is fed by the log analytics workspaces which sit behind it. RBAC on just Sentinel wouldn't prevent users from still accessing the raw data directly in log analytic workspaces – DreadedFrost Dec 19 '19 at 03:09