Forum Discussion
Sentinel permissions for playbook
Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here? I currently have on the whole resource group where are playbooks as well as Sentine...
Is it possible this documentation is not fully complete?
• Give Microsoft Sentinel permissions to run playbooks
Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.
I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
• Give Microsoft Sentinel permissions to run playbooks
Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.
I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
you mean your runbooks are not showing in your automation rule while creating it?
- They are showing but cannot be added, as you indicated in first advice, you need to grant Sentinel possibility to run playbooks. However I cannot set up this. I am OWNER of the resource group where both sentinel is and where playbooks are, but when trying to select resource group that contains playbook no resource groups pops up . It seems OWNER rights are not sufficient and I need some permissions on higher level (subscription)???
- Grant yourself owner role on the resource group where your sentinel instance is deployed.
- I am have owner but cannot select, I think i need something on subscription level as well.