Detection and Response permissions

Lighthouse permissions

These are the access permissions needed by the Ironstone managed service, Detection & response, for resources in the customers tenant. These are lighthouse permissions which only grants access to the resource group that the Sentinel workspace resides in.

  • Without access to your data we won't be able to deploy our services.
  • It is not possible to partially accept the permissions.
RBAC Role RBAC description Why do we need this permission?
Sentinel Contributor Can create and edit Microsoft Sentinel resources like workbooks, analytics rules, and more. Ironstone security administrators can make changes, such as disabling analytics rules.
Sentinel Reader Can view data, incidents, workbooks, and other Microsoft Sentinel resources. Read-only access to Sentinel. Access granted to technical account managers.
Sentinel Responder Can manage incidents like assign, dismiss, and change incidents. Allows analysts to read and close incidents.
Contributor, Managed Services Registration Assignment Contributor role allows management of all resources, but does not allow you to assign roles in Azure RBAC. Allows Ironstone security administrators to perform tasks such as editing storage settings and removing Lighthouse assignments.
Sentinel Contributor (Logic App) Can create and edit Microsoft Sentinel resources like workbooks, analytics rules, and more. Logic App can make changes in Sentinel, such as adjusting alerts for maintenance.
Sentinel Reader (Logic App) Can view data, incidents, workbooks, and other Microsoft Sentinel resources. Logic Apps can collect information about incidents for notification services.
Sentinel Responder (Logic App) Can manage incidents like assign, dismiss, and change incidents. Logic App can close cases when they are closed in other ticketing systems.

 

Multi-tenant app registration

To deliver automated and effective threat response through Microsoft Sentinel, we need to install a multi-tenant app in your Entra ID. This app allows us to securely connect and execute playbooks that perform actions such as isolating devices, disabling accounts, and other response tasks.

The App Name is "Ironstone - Detection and response"

Below are the API permissions for the application.

API

API / Permissions name

Permission description

Why do we need this permission?

Microsoft Graph API

IdentityRiskyUser.ReadWrite.All

Allows the app to read and update identity risky user information without a signed-in user. Update ops include dismissing risky users.

Needed to manage “risky user” cases from Entra ID and mark users compromised when required by incident handling.

Microsoft Graph API

Mail.Read

Allows the app to read mail in all mailboxes without a signed-in user.

Needed to investigate email-borne threats (phishing, BEC): retrieve suspicious messages, identify affected recipients, and scope incidents.

Microsoft Graph API

SecurityIncident.Read.All

Allows the app to read all security incidents without a signed-in user.

Needed to read Microsoft security incidents for triage, correlation, and correct ticket/notification routing.

Microsoft Graph API

ThreatHunting.Read.All

Allows the app to run hunting queries without a signed-in user.

Needed to run advanced hunting queries across Microsoft Defender XDR data (identity, email, endpoint) for incident investigation and scoping.

Microsoft Graph API

User.ReadWrite.All

Allows the app to read and update user profiles without a signed in user.

Needed for identity response actions in confirmed incidents (disable user, revoke sessions) to stop attacker access.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

AdvancedQuery.Read.All

Allows the app to run advanced queries without a signed-in user.

Needed to run advanced hunting queries against endpoint telemetry for investigation, alert enrichment, and detection validation.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Alert.Read.All

Allows the app to read all alerts without a signed-in user.

Needed to ingest Defender for Endpoint alerts so we can investigate, enrich, and raise/route tickets.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Machine.Isolate

Allows the app to isolate a device from the network.

Needed for containment in high-confidence active threats; used only under agreed response rules.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Machine.Read.All

Allows the app to read all machine profiles without a signed-in user.

Needed to look up device details and link alerts/vulnerabilities to impacted endpoints for SLA prioritization.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

RemediationTasks.Read.All

Allows the app to read all remediation tasks without a signed-in user.

Needed to read existing TVM remediation tasks to track progress and avoid duplicate remediation work.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Score.Read.All

Allows the app to read Threat & Vulnerability Management (TVM) score without a signed-in user.

Needed to read exposure score for reporting and to guide risk-based remediation focus.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

SecurityRecommendation.Read.All

Allows the app to read TVM security recommendations without a signed-in user.

Needed to pull Microsoft remediation recommendations and attach them to tickets/playbooks.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Software.Read.All

Allows the app to read TVM software inventory without a signed-in user.

Needed to read software inventory to confirm affected products/versions during CVE handling.

Microsoft Defender for Endpoint API (WindowsDefenderATP)

Vulnerability.Read.All

Allows the app to read TVM vulnerability information without a signed-in user.

Needed to read CVE details and impacted assets so we can automate critical vulnerability detection and ticket enrichment.