Merge pull request #295597 from yelevin/patch-2

Added required roles/permissions

Author: prmerger-automator[bot]

articles/sentinel/create-incident-manually.md

@@ -54,6 +54,17 @@ There are three ways to create an incident manually:
 
 After onboarding Microsoft Sentinel to the Microsoft Defender portal, manually created incidents aren't synchronized with the Defender portal, though they can still be viewed and managed in Microsoft Sentinel in the Azure portal, and through Logic Apps and  the API.
 
+### Permissions
+
+The following roles and permissions are required to manually create an incident.
+
+| Method | Required role |
+| ------ | ------------- |
+| Azure portal and API | One of the following:<li>[Microsoft Sentinel Responder](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-responder)<li>[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) |
+| Azure Logic Apps | One of the above, plus:<li>[Microsoft Sentinel Playbook Operator](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-playbook-operator) to use an existing playbook<li>[Logic App Contributor](/azure/role-based-access-control/built-in-roles/integration#logic-app-contributor) to create a new playbook |
+
+Learn more about [roles in Microsoft Sentinel](roles.md).
+
 ### Create an incident using the Azure portal
 
 1. Select **Microsoft Sentinel** and choose your workspace.
@@ -103,7 +114,7 @@ After onboarding Microsoft Sentinel to the Microsoft Defender portal, manually c
 
 Select the incident in the queue to see its full details, add bookmarks, change its owner and status, and more.
 
-If for some reason you change your mind after the fact about creating the incident, you can [delete it](delete-incident.md) from the queue grid, or from within the incident itself.
+If for some reason you change your mind after the fact about creating the incident, you can [delete it](delete-incident.md) from the queue grid, or from within the incident itself. You must have the [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) role in order to delete an incident.
 
 ### Create an incident using Azure Logic Apps
 
@@ -176,5 +187,5 @@ Here's an example of what a request body might look like:
 For more information, see:
 - [Relate alerts to incidents in Microsoft Sentinel](relate-alerts-to-incidents.md)
 - [Delete incidents in Microsoft Sentinel](delete-incident.md)
-- [Investigate incidents with Microsoft Sentinel](investigate-cases.md)
-- [Create custom analytics rules to detect threats](detect-threats-custom.md)
+- [Navigate, triage, and manage Microsoft Sentinel incidents](incident-navigate-triage.md)
+- [Investigate Microsoft Sentinel incidents in depth](investigate-incidents.md)

articles/sentinel/delete-incident.md

@@ -26,7 +26,7 @@ The ability to create incidents from scratch in Microsoft Sentinel in the Azure
 - Faulty incidents were generated in bulk by a broken analytics rule.
 - The incident contains no data - alerts, entities, bookmarks, and so on.
 
-In all other cases, when an incident is no longer needed, it should be **closed**, not deleted. [Closing an incident](investigate-cases.md#close-an-incident) requires you to specify the reason for closing it, and allows you to add additional comments for context and clarification. Closing old incidents in this way preserves the transparency and integrity of your SOC, and also allows for the possibility of reopening the incident if the problem resurfaces.
+In all other cases, when an incident is no longer needed, it should be **closed**, not deleted. [Closing an incident](incident-navigate-triage.md#close-an-incident) requires you to specify the reason for closing it, and allows you to add additional comments for context and clarification. Closing old incidents in this way preserves the transparency and integrity of your SOC, and also allows for the possibility of reopening the incident if the problem resurfaces.
 
 
 
@@ -90,5 +90,5 @@ DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroup
 For more information, see:
 - [Create your own incidents manually in Microsoft Sentinel](create-incident-manually.md)
 - [Relate alerts to incidents in Microsoft Sentinel](relate-alerts-to-incidents.md)
-- [Investigate incidents with Microsoft Sentinel](investigate-cases.md)
-- [Create custom analytics rules to detect threats](detect-threats-custom.md)
+- [Navigate, triage, and manage Microsoft Sentinel incidents](incident-navigate-triage.md)
+- [Investigate Microsoft Sentinel incidents in depth](investigate-incidents.md)