Share via

Restricting GCP Workload Identity Authentication to Specific Azure Sentinel Data Connectors

sheetal soni 0 Reputation points
2024-10-07T10:47:26.8966667+00:00

I have to ingest gcp audit log to azure sentinel pubsub audit log connector and authentication should be done using gcp workload identity I have created the setup and it's working fine in this setup while setting up provider issuer and one of the allowed audience should be same as what's there Microsoft official document and I have configured in this way only but now we have to restrict that only a specific data connector should be able to authenticated with workload identity and other shouldn't. like for example if there are two connectors one should be able to be authenticated but other should not. So What is the way to restrict it.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,141 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 32,671 Reputation points Microsoft Employee
    2024-10-14T08:27:34.8133333+00:00

    @sheetal soni Thank you for reaching out to us, as far I am aware data connector is just used to get some data from GCP, when the connector is created, GCP will create and grant some permission to this connector, so that the connector can ingest logs from GCP. this means that if you want to do some permission configuration, you need to do it on GCP side, would recommend reviewing the settings on GCP.

    "I'm not sure if the following steps will be helpful (I got them from our internal AI engine tool), but it might be worth trying."

    To restrict authentication for a specific data connector when using GCP Workload Identity to authenticate with Azure Sentinel Pub/Sub Audit Log Connector, you can use the following steps:

    Create a new service account in GCP that will be used exclusively for the data connector that you want to allow authentication for.

    Grant the necessary permissions to the service account to access the GCP audit logs that the data connector needs to ingest.

    Configure the GCP Workload Identity pool to only allow the service account to authenticate with the Azure Sentinel Pub/Sub Audit Log Connector. You can do this by specifying the service account's email address as the allowed audience in the provider issuer configuration.

    Configure the Azure Sentinel Pub/Sub Audit Log Connector to only accept authentication requests from the service account's email address. You can do this by specifying the service account's email address as the allowed audience in the connector configuration.

    By following these steps, you can restrict authentication for a specific data connector when using GCP Workload Identity to authenticate with Azure Sentinel Pub/Sub Audit Log Connector. Only the service account that you have specified will be able to authenticate with the connector, while other data connectors will not be able to authenticate.

    Let me know if you have any further questions, feel free to post back.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.