Does anyone know what needed permissions are in Azure for this?
What are you trying to do and I can see what I can find. I have been working on some Sentinel workflows myself.
I want to either run a saved query and process the results, or have the query generate a Sentinel Alert, that I can pull the results and process. I’m looking fo something similar to the Splunk Query Action.
Haven’t had much luck tracking down permissions required. I will let you know what I find if I come across anything specific.
Hello - Anyone found the permissions required to have a new connection with Azure Sentinel?
We are required to use Sentinel Trigger - “Get New Incidents”.
As per the documentation, it is mentioned that we require client ID & Client Secret but have not specified level of access. If you are using already, please share the permissions or steps involved in using Sentinel Trigger.
This is what I found from the following Microsoft page: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/understanding-api-connections-for-your-microsoft-sentinel/ba-p/2593973
The Microsoft Sentinel connector can be used to trigger a playbook when an incident is created or with a manual trigger on the alert. The Microsoft Sentinel connector relies on the Microsoft Sentinel REST API and allows you to get incidents, update incidents, update watchlists, etc.
- Managed identity (Recommended)
- Service Principal
- User identity
- Microsoft Sentinel Reader role (if you only want to get information from an incident e.g., Get Entities)
- Microsoft Sentinel Operator role (if you want to update an incident); or
- Microsoft Sentinel Contributor role (if you want to make changes on your workspace e.g., update a watchlist).