question

Tuxnader-3785 avatar image
0 Votes"
Tuxnader-3785 asked gabrielluiz answered

How to give Sentinel permissions to run playbooks

We are just starting to build out our Sentinel deployment. I've just created by first playbook which runs fine manually. I need to create an automation that will run the playbook. When I selected "run playbook" under actions in the automation there were no playbooks in the next drop down to select. As I understand it Sentinel needs permission to run playbooks which it does with the Azure Sentinel Automation Contributor role (??). I spoke with our admin and he said he did give the resource group permissions to the playbooks but when I check it lists the resource group but with "No permissions".

How do we give Sentinel the appropriate permissions that will allow automations to run playbooks? In all the documentation I've found it simply states that this is done with the Azure Sentinel Automation Contributor service role.

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@Tuxnader-3785 Thanks for reaching out and apologies for delay on this. In order to for Sentinel to run the Playbooks, Sentinel also needs permission on the resource group under which you have created the playbook. You can assign this permission from here :

82802-image.png


After clicking on Configure permission, it will list various Resource groups, you need to select the resource group where you have created the playbook.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



image.png (139.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Tuxnader-3785 avatar image
0 Votes"
Tuxnader-3785 answered

Thank you for the response. I did work with our admin to add the Resource group where the playbooks are created but I still cannot assign any playbooks to automations. When I try and add a playbook to an automation the drop down doesn't even display any of the two playbooks we've created.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YashMudaliar-2108 avatar image
3 Votes"
YashMudaliar-2108 answered YashMudaliar-2108 commented

Hi @Tuxnader-3785

The automation rule will only detect those playbooks who has 'Azure sentinel incident' related triggers and not the 'Azure sentinel alerts' related ones.
Try to create playbook with the the trigger 'When Azure Sentinel incident creation rule was triggered' and you will be able to see the playbook as an action in the automation rule.

Please let me know if this works for you.

Thanks,
Yash

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. This is exactly the case. I just had a call with Microsoft and they cleared that up immediately. Thank you!

0 Votes 0 ·

I missed this reply somehow before I posted mine but I just tested it and it works. Thanks.

0 Votes 0 ·

Hi @SadikKaradag-8816 ,

If my comment was helpful, please upvote it.

0 Votes 0 ·
SadikKaradag-8816 avatar image
0 Votes"
SadikKaradag-8816 answered SteveIckes-8595 commented

Hi,

I have the same issue. I was assigned the resource group owner role and I have security admin role on all resource groups plus the Sentinel Contributer role. However, despise all of these roles I cannot see the playbooks on automation tab. I89206-image.png


above you can see the sentinel playbooks we have got. I can manage these playbooks. However, on the automation tab I see;

89241-image.png


Permission on allowed resource, which host all the sentinel playbooks.

However, when I try to add an automation rule I get the following error

89165-image.png



no playbooks visible


image.png (22.3 KiB)
image.png (11.2 KiB)
image.png (32.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

See Yash's reply above. This is exactly what was occurring in our case. Once I changed the playbook to incident instead of alert it worked perfectly.

1 Vote 1 ·

Hi @SadikKaradag-8816

Please follow my comment above and try it that way.
If this works, please promote it as an answer.

Thanks,
Yash

0 Votes 0 ·
gabrielluiz avatar image
0 Votes"
gabrielluiz answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.