How to Apply the Proper Role to Allow an Analyst to Investigate Azure Sentinel Incidents in Azure Defender

I’ve run across this a bit more recently, so I thought it worthy to post some clarification on the proper role that needs to be applied to allow an Azure Sentinel analyst to click-through an Incident and investigate in Azure Defender.

If you have enabled the Defender (Azure Security Center) connector for Azure Sentinel, you’ll see Incidents show up in the Incidents blade that are generated by the originating service, but display a link to delve into further investigation (see example below).

Click-through to Defender

This ability requires a bit more access than just the roles available through Azure Sentinel. Without the proper role applied, the Azure Sentinel analyst will be met with a “no access” message. In addition to the proper role applied for access to Azure Sentinel Incidents (Responder), the account also needs at least Contributor access on the Resource Group to enable access to the original Azure Defender alert.

RG Contributor

See: Permissions in Azure Security Center

I do it this way: I have an AAD group created I call Defender Contributor Security Role that has Contributor access to the Resource Group that manages Azure Sentinel and Defender (one RG to rule them all!).

Defender Contributor Security Role

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author