Permissions for Azure Sentinel

Does anyone know what needed permissions are in Azure for this?

What are you trying to do and I can see what I can find. I have been working on some Sentinel workflows myself.

I want to either run a saved query and process the results, or have the query generate a Sentinel Alert, that I can pull the results and process. I’m looking fo something similar to the Splunk Query Action.

Haven’t had much luck tracking down permissions required. I will let you know what I find if I come across anything specific.

Hello - Anyone found the permissions required to have a new connection with Azure Sentinel?
We are required to use Sentinel Trigger - “Get New Incidents”.
As per the documentation, it is mentioned that we require client ID & Client Secret but have not specified level of access. If you are using already, please share the permissions or steps involved in using Sentinel Trigger.
Rapid7 Extensions

This is what I found from the following Microsoft page:

Microsoft Sentinel

The Microsoft Sentinel connector can be used to trigger a playbook when an incident is created or with a manual trigger on the alert. The Microsoft Sentinel connector relies on the Microsoft Sentinel REST API and allows you to get incidents, update incidents, update watchlists, etc.

Connection options:

  • Managed identity (Recommended)
  • Service Principal
  • User identity

Other prerequisites:

  • Microsoft Sentinel Reader role (if you only want to get information from an incident e.g., Get Entities)
  • Microsoft Sentinel Operator role (if you want to update an incident); or
  • Microsoft Sentinel Contributor role (if you want to make changes on your workspace e.g., update a watchlist).