Forum Discussion

Marek Stelcik's avatar
Marek Stelcik
Copper Contributor
Aug 01, 2023

Sentinel permissions for playbook

Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here?

 

 

I currently have on the whole resource group where are playbooks as well as Sentinel workspace. I dont see anything to chose from though. 

Logic app controbutor

Microsoft Sentinel Automation Contributor

Microsoft sentinel Contributor

 

Moreover Despite the access when creating automation rule I got following error

 

Do you please know

1) what permissions additional I need  to Give Sentinel permissions to run playbooks

Microsoft Sentinel requires explicit permissions for automation rules to automatically run playbooks

2) what permissions additionally I need to be able to create automation rule with playbook in it?

 

Thank you

 

automation
soar

10 Replies

  • Usama_Saleem's avatar
    Usama_Saleem
    Brass Contributor
    Aug 22, 2023
    Hello, Have you got the solution? Because I am also stuck in the similar scenario.
    • Marek Stelcik's avatar
      Marek Stelcik
      Copper Contributor
      Aug 22, 2023
      unfortunately not, i used workaround (contacted subscription owner who did one time setup of this value), but did not find minimalistic answer. I would try some reader role on subscription so it can pull possible values for dropdown.
      • Usama_Saleem's avatar
        Usama_Saleem
        Brass Contributor
        Aug 29, 2023
        Hello Marek, It requires re sign-in after assigning the specific permission. I can see the resource groups after signing-in back to portal. It's strange but it works in my case.
  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Aug 01, 2023

    Marek Stelcik Hi, 

     

    you need to give sentinel permissions on the resource group where your playbooks are located to give Microsoft Sentinel permissions to run.

     

    if a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the Manage playbook permissions link to assign permissions. In the Manage permissions panel that opens up, mark the check boxes of the resource groups containing the playbooks you want to run, and click Apply. Manage permissions.

     

    to be able to create a playbook, you need to be an owner on the resource group where you need to create it or a contributor logic app role. 

     

     

     

     

     

    • Marek Stelcik's avatar
      Marek Stelcik
      Copper Contributor
      Aug 02, 2023
      Is it possible this documentation is not fully complete?

      • Give Microsoft Sentinel permissions to run playbooks
      Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
      For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.


      I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
      • elieelkarkafi's avatar
        elieelkarkafi
        MVP
        Aug 02, 2023
        you mean your runbooks are not showing in your automation rule while creating it?

Resources