Detection and Response permissions
Lighthouse permissions
These are the access permissions needed by the Ironstone managed service, Detection & response, for resources in the customers tenant. These are lighthouse permissions which only grants access to the resource group that the Sentinel workspace resides in.
- Without access to your data we won't be able to deploy our services.
- It is not possible to partially accept the permissions.
| RBAC Role | RBAC description | Why do we need this permission? |
|---|---|---|
| Sentinel Contributor | Can create and edit Microsoft Sentinel resources like workbooks, analytics rules, and more. | Ironstone security administrators can make changes, such as disabling analytics rules. |
| Sentinel Reader | Can view data, incidents, workbooks, and other Microsoft Sentinel resources. | Read-only access to Sentinel. Access granted to technical account managers. |
| Sentinel Responder | Can manage incidents like assign, dismiss, and change incidents. | Allows analysts to read and close incidents. |
| Contributor, Managed Services Registration Assignment | Contributor role allows management of all resources, but does not allow you to assign roles in Azure RBAC. | Allows Ironstone security administrators to perform tasks such as editing storage settings and removing Lighthouse assignments. |
| Sentinel Contributor (Logic App) | Can create and edit Microsoft Sentinel resources like workbooks, analytics rules, and more. | Logic App can make changes in Sentinel, such as adjusting alerts for maintenance. |
| Sentinel Reader (Logic App) | Can view data, incidents, workbooks, and other Microsoft Sentinel resources. | Logic Apps can collect information about incidents for notification services. |
| Sentinel Responder (Logic App) | Can manage incidents like assign, dismiss, and change incidents. | Logic App can close cases when they are closed in other ticketing systems. |
Multi-tenant app registration
To deliver automated and effective threat response through Microsoft Sentinel, we need to install a multi-tenant app in your Entra ID. This app allows us to securely connect and execute playbooks that perform actions such as isolating devices, disabling accounts, and other response tasks.
The App Name is "Ironstone - Detection and response"
Below are the API permissions for the application.
|
API / Permissions name |
Type |
Permission description |
Admin consent required |
Why do we need this permission? |
|---|---|---|---|---|
|
User.ReadWrite.All |
Application |
Allows the app to read and update user profiles without a signed in user. |
Yes |
Revoke user sessions Disable user in Entra ID |
|
IdentityRiskyUser.ReadWrite.All |
Application
|
Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users. |
Yes |
Mark a user as compromised |
|
Machine.Isolate |
Application |
Allows the app to isolate a device from the network. |
Yes |
Isolate a device |