Vidara App Registration
Wortell uses Vidara as it’s security platform. In order to have Vidara running, it needs to have certain permissions on the customer tenant. This article describes the permissions and settings that are required for the App Registration that connects Vidara to the customer tenant.
Settings
The Vidara App registration should setup using the following settings:
Setting | Value | Description |
---|---|---|
Owner | The app registration itself | Wortell has procedures and systems in place to rotate the key of the app registration. In order to rotate keys, the app registration needs to be owner of itself |
Secret | A secret with validation date of 3 months should be generated | A secret needs to setup so Vidara can authorize on the customer tenant |
Permissions
Vidara requires permissions for its interaction with the customer environment.
The following permissions are used for a wide range of Managed Detection and Response activities. Think of:
- Vulnerability management
- Threat hunting
- Responding on incidents
- Execute investingations
- Validating of all required permissions are set correctly
Azure Active Directory
The following permissions need to be set on the Vidara App Registration and Admin Concent needs to be given:
API | Required Permission |
---|---|
Microsoft Graph | Application.ReadWrite.OwnedBy |
Microsoft Graph | Directory.Read.All |
Microsoft Graph | IdentityRiskyUser.ReadWrite.All |
Microsoft Graph | Organization.Read.All |
Microsoft Graph | SecurityActions.Read.All |
Microsoft Threat Protection | AdvancedHunting.Read.All |
Microsoft Threat Protection | CustomDetections.ReadWrite.All |
Log Analytics API | Data.Read |
WindowsDefenderATP | Alert.ReadWrite.All |
WindowsDefenderATP | Machine.CollectForensic |
WindowsDefenderATP | Machine.Isolate |
WindowsDefenderATP | Machine.Read.All |
WindowsDefenderATP | Machine.Scan |
WindowsDefenderATP | Vulnerability.Read.All |
Azure
The following permissions need to be set on the Vidara App Registration:
Resource | Required Role |
---|---|
Azure Subscription* | Reader |
- required for all Azure subscriptions that are protected by Wortell Managed Detection and Response
Key Rotation
It is a best practice to rotate your keys (that is, to create a new version of the key which will replace the old one) on a regular basis. By applying key rotation, Wortell drastically reduces the risk that the app registration used by Vidara can get compromised by an attack.
Key rotation is a fully automated process. During a key rotation, a new key will get generated. The existing key remains in an active state. However, older versions will get deleted. The latest version of the key will then be used for all future interactions with Vidara.
Keys are stored in an Azure Keyvault that is connected to Vidara. Access to keys is only granted to Vidara. None of the Wortell Security Employees have access to this key vault. As key rotation is a fully automated process, none of the Wortell employees can be aware of the active keys.