Assigning RBAC Roles for Azure Sentinel Incident Management | MS-500 Exam | Microsoft

Azure Sentinel RBAC Roles for Incident Management

Prev Question Next Question

Question

You have set up an Azure Sentinel workspace, and now need to assign RBAC roles to colleague who should be able to manage incidents.

The solution must use the principle of least privilege.

Which role should you assign?

Answers

A. Azure Sentinel Reader

B. Azure Sentinel Responder

C. Azure Sentinel Contributor

D. Logic App Contributor.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B

As shown in the table, Azure Sentinel Responder is the least privileged role with enough permissions to manage incidents:

Location Device info. Authentication Details Conditional Access Report-only (P

Status Failure I

Sign-in error code $3000

Conditional Access policy requires a compliant device, and the

Failure reason _device is not compliant. Have the user enroll their device with an
approved MDM provider like Intune.

Additional Details MFA completed in Azure AD

Option A is incorrect.

This role does not have permission to manage incidents (see table).

Option C is incorrect.

This user does have permission, but it is not the least privileged (see table).

Option D is incorrect.

This user does have permission, but it is not the least privileged (see table).

Reference:

To know more about Azure sentinel roles and permissions, please refer to the link below:

To assign RBAC roles to colleagues who should be able to manage incidents in an Azure Sentinel workspace while following the principle of least privilege, we need to determine the appropriate role that grants the necessary permissions while limiting access to only what is required.

The options provided are:

A. Azure Sentinel Reader B. Azure Sentinel Responder C. Azure Sentinel Contributor D. Logic App Contributor.

Here's a detailed explanation of each role:

A. Azure Sentinel Reader: This role allows the user to view incidents and analytics rules, but they cannot create or modify them. The role is useful for those who need read-only access to the data.

B. Azure Sentinel Responder: This role includes all the permissions of the Azure Sentinel Reader role and adds the ability to update and close incidents. This role is useful for those who need to respond to incidents but do not need to create or modify them.

C. Azure Sentinel Contributor: This role includes all the permissions of the Azure Sentinel Responder role and adds the ability to create and modify incidents, as well as manage analytics rules, data connectors, and other Sentinel resources. This role is useful for those who need to manage the Sentinel workspace.

D. Logic App Contributor: This role is not related to Azure Sentinel, but rather allows the user to manage logic apps, which are workflow automation solutions that integrate with Azure Sentinel. This role is not directly related to incident management.

To follow the principle of least privilege, it is recommended to assign the Azure Sentinel Responder role to the colleagues who should be able to manage incidents. This role includes the necessary permissions to update and close incidents, but it does not allow the user to create or modify incidents, which limits their access to only what is required for incident management.

Therefore, the correct answer is B. Azure Sentinel Responder.

Prev Question Next Question