You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.
You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.
Which role should you assign to User1?
The Contributor role allows the user to have the necessary permissions to export alert data from Microsoft Defender for Cloud while adhering to the principle of least privilege. The Contributor can view and export alerts without the ability to make administrative changes to the overall setup, unlike the Owner role which grants excessive permissions. Therefore, assigning the Contributor role to User1 ensures that they can perform the required task without granting them unnecessary privileges.
should be C since least privilege
owner see https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#manual-one-time-export-of-alerts-and-recommendations
Wrong! The link you provided states clearly that a contributor role can export the data. "For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, Monitoring Contributor"
It says that under "Export data to an Azure Event Hubs or Log Analytics workspace in another tenant". It doesn't mention another tenant or even an event hub or workspace.
The correct answer is D. Reader. The Reader role in Defender for Cloud allows users to view recommendations, alerts, a security policy, and security states, but cannot make changes. This is the least privileged role that allows User1 to export alert data from Defender for Cloud. The other options are incorrect. Option A: The User Access Administrator role allows users to manage user access to Defender for Cloud. It does not allow users to export alert data. Option B: The Owner role allows users to do everything that the Reader role allows, plus they can make changes to the security policy and recommendations. This is more privileged than necessary. Option C: The Contributor role allows users to do everything that the Reader role allows, plus they can apply recommendations and dismiss alerts. This is more privileged than necessary.
As far as I can tell from the documentation, you need Security admin or Owner to export alerts data? https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal
you use a Log Analytics workspace, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, or Monitoring Contributor.
Think it is D.
No. Ans is here https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal that is Owner for this question.
hmm... after further reading now I'm puzzled and think the answer is reader - the sam article also says the below: To export to a Log Analytics workspace: "If it has the SecurityCenterFree solution, you must have a minimum of Read permissions for the workspace solution: Microsoft.OperationsManagement/solutions/read."
The correct answer is D. Reader.
Security admin or owner https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#availability
D as per this link: https://learn.microsoft.com/en-us/azure/defender-for-cloud/privacy
The article you shared is related to user data not alert data, so this can be applied.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal
Contributor can view alerts and edit them (on subscritpion level) which means it follows the principle of least privilege.
The correct answer is C. "If you're using a Log Analytics Workspace, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, or Monitoring Contributor." https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#export-data-to-an-azure-event-hubs-or-log-analytics-workspace-in-another-tenant
Detailed Role Information for Reader The Reader role in Azure provides the following permissions: View all resources. Access and export alert data from Microsoft Defender for Cloud. Read-only access to monitoring data and other resource properties.
Based on others comment and docs
Admin or Owners can export ! So the answer would be Admin ! https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export
correct answer is Reader
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#availability
While a reader can view the alerts the question says we need to be able to export them. All the docs for defender for cloud regarding exporting alerts are talking about setting up SIEM integration which requires owner perms.
B. Owner Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal see the table under Availability. It says "Required roles and permissions: Security Admin or Owner for the resource group."