Tiered Roles and Responsibilities in Azure Sentinel for Contoso Ltd. SOC Analysts

Ensuring Controlled Access to Data Sources in Azure Sentinel

Question

You are the SOC manager for Contoso Ltd., a large global organization with offices and operations in several jurisdictions.

The organization runs a hybrid environment with both on-premises and cloud IT infrastructure that needs to be monitored for any security breaches.

Contoso Ltd.

uses Azure Sentinel as its SIEM solution.

As a part of your duties for Contoso Ltd., you run a large follow-the-sun SOC across several countries with hundreds of staff: Tier 1 analysts run the initial triage and basic incident resolution; Tier 2 analysts handle incidents escalated to them from Tier 1; and Tier 3 analysts are the most experienced analysts who take on the most complex cases that Tiers 1 and 2 haven't been able to resolve.

Sometimes, this involves the need for Tier 2 analysts to change the configuration of Azure Sentinel.

With this information in mind, how can you ensure that Tier 1 and Tier 2 SOC analysts cannot change the data sources that are connected to Azure Sentinel and that only Tier 3 analysts have access to do this? Define Roles for Tier 1, Tier 2 and Tier 3 analysts.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

You should assign the correct built-in Azure AD roles for Azure Sentinel.

Here, the Tier 1 and Tier 2 SOC analysts who do not need access to change Sentinel settings should be assigned the Azure Sentinel Responder role, where they can manage incidents and review data.

Tier 3 analysts should be assigned the Azure Sentinel Contributor role, which allows them to edit settings in Azure Sentinel.

Reference:

The correct answer for this scenario would be option D: Tier 1: Azure Sentinel Responder Tier 2: Azure Sentinel Responder Tier 3: Azure Sentinel Contributor

Explanation:

In this scenario, the requirement is to ensure that only Tier 3 analysts have access to change the data sources that are connected to Azure Sentinel. To achieve this, we need to define the appropriate roles for each tier of analysts.

Tier 1 analysts are responsible for initial triage and basic incident resolution. Therefore, they do not require access to change data sources. As such, we can assign them the Azure Sentinel Responder role. This role enables them to view and respond to incidents in Azure Sentinel, but does not allow them to change data sources.

Tier 2 analysts handle incidents escalated from Tier 1. They may require access to change data sources in certain cases. However, in this scenario, we want to limit access to only Tier 3 analysts. Therefore, we can also assign the Azure Sentinel Responder role to Tier 2 analysts.

Tier 3 analysts are the most experienced and handle the most complex cases. They are responsible for changing data sources in Azure Sentinel. Therefore, we can assign them the Azure Sentinel Contributor role. This role enables them to manage data sources, including adding, modifying, and deleting data connectors in Azure Sentinel.

In summary, by assigning the appropriate roles to each tier of analysts, we can ensure that only Tier 3 analysts have access to change the data sources that are connected to Azure Sentinel.