I am having a permissions issue with getting the playbook template ‘Run-MDEAntivirus’ working. So far I have:
- Given Microsoft Sentinel permissions to run playbooks in the correct Resource Group.
- Deployed the Playbook template from Sentinel (as at January 2023) with a system assigned managed identity.
- Used Powershell to grant the managed identity permissions ‘Machine.Scan’, ‘Machine.ReadWrite.All’ and ‘Machine.Read.All’
- Dropped an EICAR file on a host and watched the playbook trigger as expected.
Steps using the Sentinel connector inside the Logic app work (these all have green tickets and contain the expected data). The first MDE step ‘Machines - Get a Single Machine’ fails with a 403 error. Message it returns is ‘Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles ‘Machine.Scan’.
I am not clear where I need to add those privileges. My understanding is the Logic App is using the wdatp-Run-MDEAntivirus API connection which in turn is using the Managed Identity (that has the right privileges). Any suggestions on what to do next would be welcome.