Step 2/3: Assign Azure permissions to store forensic objects
Step 2/3: Assign Azure Permissions to Store Forensic Objects
An instance can be used for multiple services , based on these combination the following role assignments should be made.
Use Case 1: An instance with only Forensics enabled
Option 1: Storage Account Contributor role
Assign the Storage Account Contributor role to the storage account that will be used as the forensics destination.
To use an instance with other services in addition to forensics, refer An instance with Forensics + Other Services Selected below, which describes the role assignments that work.
Option 2: Builtin Reader role with a custom role
Builtin Reader role along with a custom role (refer Steps to Create a Custom Role in Azure ) and the following permission in the custom role definition.
-
Scope: Storage Account
-
Custom Role Definition
{
"properties": {
"roleName": "custom-forensics-role",
"description": "Custom role for forensics in addition to the builtin Reader role",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/blobServices/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/<subscription_id>"
]
}
}
Option 3: Builtin Storage Blob Data Contributor role with a custom role
Builtin Storage Blob Data Contributor role along with a custom role (refer Steps to Create a Custom Role in Azure) and the following permission in the custom role definition.
-
Scope: Storage Account
-
Custom Role Definition
{
"properties": {
"roleName": "custom-forensics-role",
"description": "Custom role for forensics in addition to the builtin Storage Blob Data Contributor role",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/<subscription_id>"
]
}
}
Option 4: Builtin Contributor
This is a privileged role which provides a large set of permissions.
Use Case 2: An instance with Forensics + Other Services Selected
Assign the builtin Reader role and the custom roles (refer Steps to Create a Custom Role in Azure) for each of the services selected during setting up the instance. Custom roles for each service can be found under section Custom Role.
For example, if the instance has forensics + DLP selected, assign the builtin Reader role along with a custom role and permissions required for both these services:
{
"properties": {
"roleName": "forensic-dlp-custom-role",
"description": "custom role for forensics and DLP",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/<subscription_id>"
]
}
}
Custom Roles
Refer to section Steps to create a custom role in Azure on steps to create a custom role.
Custom roles to be used along with the builtin Reader role based on the services selected:
-
Forensics
{ "properties": { "roleName": "custom-forensics-role", "description": "Custom role for forensics in addition to the builtin Reader role", "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/blobServices/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "/subscriptions/<subscription_id>" ] } }
-
DLP
{ "properties": { "roleName": "custom-dlp-role", "description": "Custom role for Storage Scan in addition to the builtin Reader role", "permissions": [ { "actions": [ "Microsoft.EventGrid/eventSubscriptions/write", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.EventGrid/eventSubscriptions/delete" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "/subscriptions/<subscription_id>" ] } }
-
Threat Protection
{ "properties": { "roleName": "custom-dlp-role", "description": "Custom role for Storage Scan in addition to the builtin Reader role", "permissions": [ { "actions": [ "Microsoft.EventGrid/eventSubscriptions/write", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.EventGrid/eventSubscriptions/delete" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "/subscriptions/<subscription_id>" ] } }
-
Security Assessment
{ "properties": { "roleName": "Netskope CSA Custom Role", "description": "Netskope CSA", "permissions": [ { "actions": [ "Microsoft.Web/sites/config/list/action", "Microsoft.Network/networkWatchers/queryFlowLogStatus/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "/subscriptions/<subscription_id>" ] } }
Steps to Create a Custom Role in Azure
-
Prepare the JSON file for the required role definition.
-
In the Azure portal, open a management group, subscription, or resource group where you want the custom role to be assignable and then open Access control (IAM).
-
Click Add and then click Add custom role.
This opens the custom roles editor.
-
On the Basics tab, in Baseline permissions, select Start from JSON.
-
Next to the Select a file box, click the folder button to open the Open dialog box.
-
Select the JSON file and then click Open.
-
In the Custom role name box, specify a name for the custom role.
-
In the Description box, specify an optional description for the custom role.
-
Click “Review + create” to review the role, and finally click Create to create the custom role.