Jul 19 2021 02:54 AM - edited Jul 20 2021 05:11 AM
And: Unable to add playbook to automated incident response for Azure Sentinel (Not relevant)
Assoc. Doc. https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook )
Hi Microsoft,
I created a Logic App with handler "when incident creation in Sentinel rule was Triggered"*.
I got Read rights on the RG and Logic Apps operator & Contributor + Sentinel contributor.
I can see my LogicApp in the playbook thumb (enabled, with good trigger descirption), yet I can't see it when creating automation from "Automation" thumb. (Rule : "If analytics name contains : All")
Is it a bug? Did I miss something?
EDIT 07-20: added with Subscription owner rights the RG access to Sentinel Automation, giving "Azure Sentinel Automation Contributor"rights to “Azure Security Insights” on the resource group. Source. No effect.
* I18n approximative from French.
Jul 19 2021 05:47 AM
@jeffazure Have you also set the Azure Sentinel Automation Contributor?
Jul 20 2021 05:05 AM - edited Jul 20 2021 05:17 AM
Hi @Rod_Trent,
Thank you for your answer. That one was rather tricky, interface is not clear for automation for this subject.
I successfully applied right permission to my user (I got Sub owner account in parallel) AND followed your tutorial (from : https://docs.microsoft.com/fr-fr/azure/sentinel/tutorial-respond-threats-playbook). All rights are OK in RG IAM, I can see "Security Insights" having Automation rights (please note that my Logic App is in the same RG as Sentinel).
Not my user, nor even Owner can see playbook anyway in the "New automation rule" menu.
Jul 20 2021 06:49 AM
SolutionJul 20 2021 06:51 AM
Jul 20 2021 06:49 AM
Solution