# Permissions ### Overview This page describes the permissions and access model for the **Attack Mapping Agent**.\ The agent uses **read-only access** to Microsoft Sentinel, Microsoft Defender, and Security Copilot data through documented **Microsoft Graph API** and **Security Copilot Plugins**.\ It is designed to analyze analytic rule configurations, ATT\&CK mappings, and telemetry correlations **without making any changes** to your environment. *** ### How It Works The agent connects securely to your tenant and Microsoft Sentinel workspace to retrieve analytic rule metadata, mapping details, and associated telemetry.\ It evaluates and validates MITRE ATT\&CK tactic, technique, and sub-technique assignments, ensuring that mappings accurately represent detection coverage. All interactions follow these principles: * **Read-only access:** The agent does not modify, create, or delete analytic rules. * **Least privilege:** Only the minimum roles and permissions required to read Sentinel and Defender data are used. * **Transparency:** All data access occurs through documented API endpoints and can be audited in Microsoft Entra. *** ### Required Entra ID and Sentinel Roles Assign the following roles to the administrator account or managed identity that runs the agent: | Role | Description | | --------------------------------------------- | ----------------------------------------------------------------------------------------- | | **Microsoft Sentinel Reader** | Provides read-only access to analytic rule configurations and alert metadata. | | **Microsoft Sentinel Responder** *(optional)* | Adds incident relationship data if extended analysis is enabled. | | **Security Reader** | Grants visibility into Defender security insights and events without modification rights. | | **Directory Reader** | Enables read-only access to user and group directory data for rule correlation. | These roles follow the **principle of least privilege** and can be adjusted based on your organization’s security governance policies. *** ### Data Access Transparency The following table outlines what data the agent can access and for what purpose: | Data Type | Access Level | Purpose | | ------------------------------------- | ------------ | --------------------------------------------------------------------------------- | | Sentinel analytic rule metadata | Read-only | To inventory analytic rules, validate MITRE mappings, and detect inconsistencies. | | Security alerts and telemetry samples | Read-only | To verify that mapped techniques align with real detection behavior. | | MITRE ATT\&CK knowledge base | Read-only | To validate tactic and technique IDs and ensure canonical alignment. | | Directory and workspace data | Read-only | To correlate analytic rules with owners and configuration context. | **Data handling:** * The agent does not modify, create, or delete data in your tenant. * No customer data is exported outside the tenant boundary. * All access occurs via Microsoft Graph and Security Copilot Plugins using delegated or application permissions. * Access activity is logged in Microsoft Entra audit logs for full traceability. *** ### Agent Settings The agent supports configurable parameters that define the scope and depth of its validation: | Setting | Options | Description | | --------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | | **Scope** | `analyticRules`, `telemetry`, `mappingValidation` | Determines which Sentinel components are included in the analysis. | | **Mode** | `quick`, `standard`, `deep` | Defines analysis depth and correlation level. | | | • **quick** – Basic review of rule mappings for syntax and structure. | | | | • **standard** – Balanced mapping validation using MITRE knowledge and limited telemetry. *(recommended)* | | | | • **deep** – Full validation with telemetry sampling and rule-to-detection correlation. | | Before running the agent, ensure that all required roles and workspace permissions are assigned. *** ### Security and Compliance Considerations * All communication with Microsoft Sentinel and Microsoft Graph is encrypted with **HTTPS** and secured by **Microsoft identity services**. * The agent follows **Zero Trust** and **least privilege** principles. * Access can be reviewed or revoked anytime through **Microsoft Entra role assignments** or **application consent management**. * No configuration changes are performed within your environment, ensuring full operational safety during analysis. *** ### Next Steps 1. Verify that the administrator or managed identity running the agent has the required roles assigned. 2. Confirm Microsoft Sentinel and Defender API access permissions are active. 3. Review your organization’s least privilege and role assignment policies before deployment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/attack-mapping-agent/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.