Step 2/3: Assign Azure permissions to store forensic objects
To store forensic-related logs in Blob storage, under Roles, either create a custom role with inbuilt Reader Role or assign a Storage Blob Data Contributor role to the blob storage with the following permissions.
Microsoft.Storage/storageAccounts/listkeys/action - This permission returns the access keys for the specified storage account.
Microsoft.Storage/storageAccounts/read - This permission returns the list of storage accounts or gets the properties for the specified storage account.
Note
You can limit the permissions for the subscription to a storage account after you've setup the subscription instance for forensics in your Netskope tenant. For detailed information, see Limit permissions for Forensics to Azure Storage Account.
The inbuilt Reader Role permission performs the following actions.
Gets an Azure subscription definition within a management group.
Gets information about a role definition.
Lists all the permissions the caller has at a given scope.
Gets the list of storage accounts or gets the properties for the specified storage account.
Gets the list of blob services.
Gets the list of containers.
Reads an eventSubscription.
Gets the list of regional event subscriptions.
Important
If you are configuring this instance for Forensic with a combination of features such as Security Posture, DLP, and Threat Protection, then you must create separate custom roles for each feature. For a combination of feature support, assign the roles based on the table below:
Feature/Role | Reader + Custom | Inbuilt Contributor | Storage Blob Data Contributor |
---|---|---|---|
Forensic | X | X | X |
DLP, Forensic | X | X | |
Threat Protection, Forensic | X | X | |
Security Posture, Forensic | X | X | |
DLP, Threat Protection, Security Assessment, Forensic | X | X |
To create a custom role for Forensic,
Create a JSON file with the following script and save the file as NetskopeForensics.json.
{ "Name": "custom-forensic-role", "Description": "Forensics", "Actions": ['Microsoft.Storage/storageAccounts/blobServices/containers/write', 'Microsoft.Storage/storageAccounts/listkeys/action', 'Microsoft.Storage/storageAccounts/blobServices/write' ], "DataActions": [], "NotDataActions": [], "AssignableScopes": ["/subscriptions/<customer-subscription-id>"] }
To get the <subscription-id>:
Navigate to All services > General > Subscriptions.
Copy the subscription ID and replace the <subscription-id> parameter with the copied ID.
Next, use the Azure PowerShell. Click the Cloud Shell icon on the top-center bar of the Azure portal page.
Note
The shell may prompt you to create and mount a storage account.
On the PowerShell top navigation, select the Upload/Download files icon and then Upload.
Upload the NetskoForensics.json file. Then, on the PowerShell prompt, enter the following command:
New-AzRoleDefinition -InputFile "NetskopeForensics.json"
When you run this command, Azure creates a custom role Netskope Forensics Custom Role with the Microsoft.Storage/storageAccounts/blobServices/containers/write , Microsoft.Storage/storageAccounts/listkeys/action, and Microsoft.Storage/storageAccounts/blobServices/write permissions.
Under Roles, assign the Reader and Netskope Forensics Custom Role.
Note
If you have multiple subscriptions, you can group them under a Management Group and assign the role at the Management Group.
Keep the Assign access to Azure AD user, group, or service principal.
Under Select, search for the newly created Azure AD application and select it.
Click Save.