Minimum Permissions Needed for a Microsoft Cloud Security Analyst
Investigate Incidents Effectively with Principal of Least Privilege.
Microsoft’s system of assigning permissions is a frequent source of confusion for security administrators that are trying to keep the level of permissions they are giving out to a minimum. Someone will walk into their office saying “I need security reader” not knowing that there are several different versions of that role in multiple UIs.
In this blog, we will go over the minimum permissions needed to investigate security incidents in Microsoft cloud security products. We will also explain what the permissions are used for so that security admins can understand why they are giving out some of these permissions to analysts.
Azure Sentinel Responder
Azure Sentinel is Microsoft’s cloud SIEM system that can take in information from all other Microsoft cloud security products and display alerts in a central location. Security analysts need this permission because they need to be able to take response actions as soon as they can after an incident appears.
Azure Log Analytic Workspace Reader
Azure Sentinel operates in a log analytic workspace, which is why having Log Analytic Workspace Reader is needed to view the menu. Sentinel Responder has some log analytic workspace permissions, but on its own it is not able to view log analytic workspaces like the ones that instances of Azure Sentinel are hosted on.
Azure Logic App Operator
Azure Sentinel playbooks are automations built using Azure logic apps that are extremely useful for helping investigate and respond to incidents. To use the playbook feature in Azure Sentinel an analyst will need to have the Logic App Operator role so that they can run playbooks to make their incident management more efficient.
Azure Security Reader (RBAC)
Azure Defender is the XDR solution for Azure resources, and security analysts will need to access this menu frequently to learn more about incidents that they are investigating. This menu requires the RBAC Security Reader role to view and update security alerts.
Various Microsoft 365 Defender Roles
There is a separate permissions menu for each of the 4 Microsoft 365 Defender products. Finding all these permissions menus was such a hassle we wrote a blog about it to make sure that anyone else looking for these menus could find them right away. The following is a list of roles analysts should get in each of the Microsoft 365 Defender permissions menus so they can investigate alerts.
- MDE: Custom role with all permissions but Manage Security Settings and Live Response Capabilities.
- Defender for O365: Security Reader.
- MCAS: Security Reader.
- Defender for Identity: Azure ATP Users AAD Group.
All Other Roles Should be Discretionary
Some analysts may need to have additional permissions during a complex investigation that involves a specific resource or menu. Since some analysts may need more permissions for a specific investigation, it may be a good idea to set up a system where an analyst can request additional access.
There are some permission elevation systems in Azure like PIM that allow a user to request more permissions temporarily. A user access admin could also be assigned to help analysts when they need extra permissions to finish an investigation.
We will continue to share best practices and lessons learned in future posts on managing permissions in Microsoft cloud security products. Administrators at CyberMSI are constantly adjusting permissions to make sure that our attack surface area is as small they can practically make it.
In closing, consider these three questions when assigning permissions to analysts in your organization:
- Do we have documentation talking about the roles our analysts currently have or are we assigning permissions ad-hoc?
- Are we regularly evaluating the permissions of users like security analysts that have more permissions than the average user?
- Can we set up an effective system for managing discretionary permissions for security analysts?