cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel permissions for playbook

Marek Stelcik
Copper Contributor

‎Aug 01 2023 07:24 AM

‎Aug 01 2023 07:24 AM

Sentinel permissions for playbook

Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here?

MarekStelcik_0-1690898120052.png

 

 

I currently have on the whole resource group where are playbooks as well as Sentinel workspace. I dont see anything to chose from though. 

Logic app controbutor

Microsoft Sentinel Automation Contributor

Microsoft sentinel Contributor

 

Moreover Despite the access when creating automation rule I got following error

MarekStelcik_2-1690898783929.png

 

Do you please know

1) what permissions additional I need  to Give Sentinel permissions to run playbooks

Microsoft Sentinel requires explicit permissions for automation rules to automatically run playbooks

2) what permissions additionally I need to be able to create automation rule with playbook in it?

 

Thank you

 

Labels:
3,595 Views
0 Likes
10 Replies
Reply
10 Replies
eliekarkafy

‎Aug 01 2023 07:46 AM

‎Aug 01 2023 07:46 AM

Re: Sentinel permissions for playbook

@Marek Stelcik Hi, 

 

you need to give sentinel permissions on the resource group where your playbooks are located to give Microsoft Sentinel permissions to run.

eliekarkafy_0-1690900685655.png

 

if a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the Manage playbook permissions link to assign permissions. In the Manage permissions panel that opens up, mark the check boxes of the resource groups containing the playbooks you want to run, and click Apply. Manage permissions.

 

to be able to create a playbook, you need to be an owner on the resource group where you need to create it or a contributor logic app role. 

 

 

 

 

 

0 Likes
Reply
Marek Stelcik

‎Aug 02 2023 04:03 AM

‎Aug 02 2023 04:03 AM

Re: Sentinel permissions for playbook

Is it possible this documentation is not fully complete?

• Give Microsoft Sentinel permissions to run playbooks
Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.


I have owner on the resource group but still cannot select it in Sentinel to allow automation. I assume some additional directory reader role or subscription reader role are needed??
0 Likes
Reply
eliekarkafy

‎Aug 02 2023 06:19 AM

‎Aug 02 2023 06:19 AM

Re: Sentinel permissions for playbook

you mean your runbooks are not showing in your automation rule while creating it?
0 Likes
Reply
Marek Stelcik

‎Aug 02 2023 07:26 AM

‎Aug 02 2023 07:26 AM

Re: Sentinel permissions for playbook

They are showing but cannot be added, as you indicated in first advice, you need to grant Sentinel possibility to run playbooks. However I cannot set up this. I am OWNER of the resource group where both sentinel is and where playbooks are, but when trying to select resource group that contains playbook no resource groups pops up . It seems OWNER rights are not sufficient and I need some permissions on higher level (subscription)???
0 Likes
Reply
eliekarkafy

‎Aug 02 2023 03:01 PM

‎Aug 02 2023 03:01 PM

Re: Sentinel permissions for playbook

Grant yourself owner role on the resource group where your sentinel instance is deployed.
0 Likes
Reply
Marek Stelcik

‎Aug 04 2023 09:45 AM

‎Aug 04 2023 09:45 AM

Re: Sentinel permissions for playbook

I am have owner but cannot select, I think i need something on subscription level as well.
0 Likes
Reply
eliekarkafy

‎Aug 04 2023 09:52 AM

‎Aug 04 2023 09:52 AM

Re: Sentinel permissions for playbook

you can test by having an owner role on the subscription level , if your issue presists, i suggest you open a ticket with MS so they can check your subscription
0 Likes
Reply
Usama_Saleem

‎Aug 22 2023 02:59 AM

‎Aug 22 2023 02:59 AM

Re: Sentinel permissions for playbook

Hello, Have you got the solution? Because I am also stuck in the similar scenario.
0 Likes
Reply
Marek Stelcik

‎Aug 22 2023 06:41 AM

‎Aug 22 2023 06:41 AM

Re: Sentinel permissions for playbook

unfortunately not, i used workaround (contacted subscription owner who did one time setup of this value), but did not find minimalistic answer. I would try some reader role on subscription so it can pull possible values for dropdown.
0 Likes
Reply
Usama_Saleem

‎Aug 29 2023 01:13 AM

‎Aug 29 2023 01:13 AM

Re: Sentinel permissions for playbook

Hello Marek, It requires re sign-in after assigning the specific permission. I can see the resource groups after signing-in back to portal. It's strange but it works in my case.
0 Likes
Reply