In Azure Sentinel, its easy to quickly create a Teams channel for a specific Incident to use as a centralized “war room” for critical events.
You choose the Action option for the Incident, choose Create Team and supply the Teams channel information along with who should have proper access through AAD Group inheritance.
Once the Teams channel is created you then can use Teams to add non-Azure Sentinel users for Incident collaboration and review. This enables the SOC to pull in others from around the organization who need to be privy to the operation, particularly if there’s a successful intrusion.
For an example of who you might include in this “extra” set of people for the Teams channel, use the guidance from Rin Ure’s SOC Process Framework Workbook. You might identify others as part of the Teams channel. For example, if this is a intrusion that must be communicated publicly and with shareholders, a representative from your corporate communications team may need to be included.
The extra individuals (beyond your security team members granted access through the Azure Sentinel Teams creation panel) you choose to add here, most likely do not also have access to Azure Sentinel and the original Incident in the Sentinel console. Nor should they, in most cases.
Here’s the access requirements for each step in this process.
For the Teams creation function in Azure Sentinel interface:
- The user needs to have Incidents write permissions in Azure Sentinel. The Azure Sentinel Responder is the ideal role (or least privilege requirement) for this capability.
- Currently, the user needs to have Teams creation permissions in Teams. This requirement may change in the future.
- Any Azure Sentinel user (Reader, Responder, or Contributor) gains access to the Teams channel through request the first time they attempt to access it.
For the users that are added through the Teams interface:
- Any user can be added to the Teams channel through add member feature.
- There is no requirement that the Teams user will be the same as the one in Sentinel.
- Gaining access to the Incident through the Teams interface does not automatically give that individual to access to Azure Sentinel.
This content is intended to help clarify the roles required to work with Teams in Azure Sentinel, and the guidance around when and how to separate roles based on responsibility and activity. If something is still unclear, please hit me up on Twitter (@rodtrent) and let me know. I’ll be happy to make even further clarification.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]