question

AnandRMenon-2032 avatar image
0 Votes"
AnandRMenon-2032 asked AnandRMenon-2032 answered

"Analytics rule partially saved" issue on adding automation rule

In Azure Sentinel, I'm trying to add a new automation rule to an analytics rule wherein a playbook to send email notifications is triggered when a new incident related to the analytics rule is generated. But after successful validation of the analytics rule and saving it, the notification appears "Analytics rule partially saved". Then on checking the analytics rule again, the newly added automation rule is missing. Not sure if this is a bug or a configuration issue from my side. Please advise on this issue. The screenshots related to this have been attached.142111-automation-rule1.jpg142044-automation-rule2.jpg141978-automation-rule3.jpg


microsoft-sentinel
automation-rule1.jpg (78.1 KiB)
automation-rule2.jpg (52.9 KiB)
automation-rule3.jpg (5.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shashishailaj avatar image shashishailaj ·

@AnandRMenon-2032 We are checking this internally and will update the thread.

1 Vote 1 ·

1 Answer

AnandRMenon-2032 avatar image
1 Vote"
AnandRMenon-2032 answered

@shashishailaj Thanks a lot for checking this out. I could resolve the issue by adding the roles 'Owner' and 'Logic app contributor' to my user in the resource group which contained the playbook I needed to run. Now the automation rules are getting saved properly.

Navigation :
1. Go to the Resource Group which contains the playbook.
2. Select Access Control(IAM) --> +Add --> Add Role Assignment
3. In 'Role' tab in 'Add Role Assignment' window, select 'Owner' role. Click Next.
4. In 'Members' tab, Assign access to 'User, group, or service principal'. Add the members who need to be assigned the role. Click Next.
5. Select Review+Assign.
6. Repeat the same for 'Logic app contributor' role.

Another point to check is if the playbook have permissions to be run by Azure Sentinel. To check this,
1. Go to Azure Sentinel -> Configuration -> Settings -> Playbook permissions -> Configure Permissions
2. Check 'Current permissions' tab to see if the resource group containing the playbook is listed. Else select the required resource groups in 'Browse' tab and select 'Apply'.

I have a suggestion here. Instead of displaying the "Analytics rule partially saved" notification at the end of saving the analytics rule, it would be great if the missing permissions are shown as notification/error while adding the playbooks in the 'Automated Response' Tab of the analytics rule. Thank you.








5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.