Assigning RBAC Roles for Azure Sentinel Workspace Management

Managing Incidents in Azure Sentinel: RBAC Role Assignment

Prev Question Next Question

Question

You have set up an Azure Sentinel workspace, and now need to assign RBAC roles to colleague who should be able to manage incidents.

The solution must use the principle of least privilege.

Which role should you assign?

Answers

A. Azure Sentinel Reader

B. Azure Sentinel Responder

C. Azure Sentinel Contributor

D. Logic App Contributor.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B

As shown in the table, Azure Sentinel Responder is the least privileged role with enough permissions to manage incidents:

Location Device info. Authentication Details Conditional Access Report-only (P

Status Failure I

Sign-in error code $3000

Conditional Access policy requires a compliant device, and the

Failure reason _device is not compliant. Have the user enroll their device with an
approved MDM provider like Intune.

Additional Details MFA completed in Azure AD

Option A is incorrect.

This role does not have permission to manage incidents (see table).

Option C is incorrect.

This user does have permission, but it is not the least privileged (see table).

Option D is incorrect.

This user does have permission, but it is not the least privileged (see table).

Reference:

To know more about Azure sentinel roles and permissions, please refer to the link below:

To assign RBAC roles for managing incidents in an Azure Sentinel workspace, we need to consider the principle of least privilege. The principle of least privilege states that a user should only have the minimum access necessary to perform their job function.

Option A: Azure Sentinel Reader The Azure Sentinel Reader role can view Azure Sentinel data and incidents but cannot manage them. This role is not sufficient for managing incidents.

Option B: Azure Sentinel Responder The Azure Sentinel Responder role can manage incidents in Azure Sentinel, such as creating, updating, and resolving incidents. This role is a better fit for managing incidents than the Azure Sentinel Reader role.

Option C: Azure Sentinel Contributor The Azure Sentinel Contributor role has permissions to manage all aspects of Azure Sentinel, including incidents, data connectors, workbooks, and more. While this role would allow a colleague to manage incidents, it provides more permissions than necessary and does not follow the principle of least privilege.

Option D: Logic App Contributor The Logic App Contributor role is not relevant for managing incidents in Azure Sentinel. This role has permissions to create and manage logic apps, which are used for building workflows and automating processes in Azure.

Based on the principle of least privilege and the requirements of managing incidents, the best option would be to assign the Azure Sentinel Responder role to the colleague. This role provides the necessary permissions to manage incidents, without granting excessive permissions to manage other aspects of Azure Sentinel.

Prev Question Next Question