Step 2/3: Assign Azure permissions to store forensic objects

Step 2/3: Assign Azure Permissions to Store Forensic Objects

An instance can be used for multiple services , based on these combination the following role assignments should be made.

Use Case 1: An instance with only Forensics enabled

Option 1: Storage Account Contributor role

Assign the Storage Account Contributor role to the storage account that will be used as the forensics destination.

This ensures that only the storage account where this role has been assigned is accessible to Netskope. This means that if the forensics destination needs to be modified to a different storage account, the app registration should be assigned the role to that storage account.

To use an instance with other services in addition to forensics, refer An instance with Forensics + Other Services Selected below, which describes the role assignments that work.

Option 2: Builtin Reader role with a custom role

Builtin Reader role along with a custom role (refer Steps to Create a Custom Role in Azure ) and the following permission in the custom role definition.

  • Scope: Storage Account

  • Custom Role Definition

{
  "properties": {
      "roleName": "custom-forensics-role",
      "description": "Custom role for forensics in addition to the builtin Reader role",
      "permissions": [
          {
              "actions": [
                "Microsoft.Storage/storageAccounts/blobServices/containers/write",
                "Microsoft.Storage/storageAccounts/listkeys/action",
                "Microsoft.Storage/storageAccounts/blobServices/write"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
          }
      ],
      "assignableScopes": [
        "/subscriptions/<subscription_id>"
    ]
  }
}

Option 3: Builtin Storage Blob Data Contributor role with a custom role

Builtin Storage Blob Data Contributor role along with a custom role (refer Steps to Create a Custom Role in Azure)  and the following permission in the custom role definition.

  • Scope: Storage Account

  • Custom Role Definition

{
  "properties": {
      "roleName": "custom-forensics-role",
      "description": "Custom role for forensics in addition to the builtin Storage Blob Data Contributor role",
      "permissions": [
          {
              "actions": [
                "Microsoft.Storage/storageAccounts/listkeys/action",
                "Microsoft.Storage/storageAccounts/read"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
          }
      ],
      "assignableScopes": [
        "/subscriptions/<subscription_id>"
    ]
  }
}

Option 4: Builtin Contributor

 This is a privileged role which provides a large set of permissions.  

Use Case 2: An instance with Forensics + Other Services Selected

Assign the builtin Reader role and the custom roles (refer Steps to Create a Custom Role in Azure) for each of the services selected during setting up the instance. Custom roles for each service can be found under section Custom Role

For example, if the instance has forensics + DLP selected, assign the builtin Reader role along with a custom role and permissions required for both these services:

{
  "properties": {
    "roleName": "forensic-dlp-custom-role",
    "description": "custom role for forensics and DLP",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/listkeys/action",
          "Microsoft.Storage/storageAccounts/blobServices/containers/write",
          "Microsoft.Storage/storageAccounts/blobServices/write",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.EventGrid/eventSubscriptions/write",
          "Microsoft.EventGrid/eventSubscriptions/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "assignableScopes": [
        "/subscriptions/<subscription_id>"
    ]
  }
}

Custom Roles

Refer to section Steps to create a custom role in Azure on steps to create a custom role.

Custom roles to be used along with the builtin Reader role based on the services selected:

  • Forensics

    {
      "properties": {
          "roleName": "custom-forensics-role",
          "description": "Custom role for forensics in addition to the builtin Reader role",
          "permissions": [
              {
                  "actions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
                    "Microsoft.Storage/storageAccounts/listkeys/action",
                    "Microsoft.Storage/storageAccounts/blobServices/write"
                  ],
                  "notActions": [],
                  "dataActions": [],
                  "notDataActions": []
              }
          ],
          "assignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
      }
    }
  • DLP

    {
      "properties": {
        "roleName": "custom-dlp-role",
        "description": "Custom role for Storage Scan in addition to the builtin Reader role",
        "permissions": [
          {
            "actions": [
              "Microsoft.EventGrid/eventSubscriptions/write",
              "Microsoft.Storage/storageAccounts/listkeys/action",
              "Microsoft.EventGrid/eventSubscriptions/delete"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "assignableScopes": [
          "/subscriptions/<subscription_id>"
        ]
      }
    }
  • Threat Protection

    {
      "properties": {
        "roleName": "custom-dlp-role",
        "description": "Custom role for Storage Scan in addition to the builtin Reader role",
        "permissions": [
          {
            "actions": [
              "Microsoft.EventGrid/eventSubscriptions/write",
              "Microsoft.Storage/storageAccounts/listkeys/action",
              "Microsoft.EventGrid/eventSubscriptions/delete"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "assignableScopes": [
          "/subscriptions/<subscription_id>"
        ]
      }
    }
  • Security Assessment

    {
      "properties": {
        "roleName": "Netskope CSA Custom Role",
        "description": "Netskope CSA",
        "permissions": [
          {
            "actions": [
              "Microsoft.Web/sites/config/list/action",
              "Microsoft.Network/networkWatchers/queryFlowLogStatus/action"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
          }
        ],
        "assignableScopes": [
          "/subscriptions/<subscription_id>"
        ]
      }
    }

Steps to Create a Custom Role in Azure

  1. Prepare the JSON file for the required role definition.

  2. In the Azure portal, open a management group, subscription, or resource group where you want the custom role to be assignable and then open Access control (IAM).

  3. Click Add and then click Add custom role.

    This opens the custom roles editor.

  4. On the Basics tab, in Baseline permissions, select Start from JSON.

  5. Next to the Select a file box, click the folder button to open the Open dialog box.

  6. Select the JSON file and then click Open.

  7. In the Custom role name box, specify a name for the custom role.

  8. In the Description box, specify an optional description for the custom role.

  9. Click “Review + create” to review the role, and finally click Create to create the custom role.

Share this Doc

Step 2/3: Assign Azure permissions to store forensic objects

Or copy link

In this topic ...