Skip to content

Commit 503b5e3

Browse files
yelevinyelevin
authored
Added required roles/permissions
1 parent 20f4c59 commit 503b5e3

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

articles/sentinel/create-incident-manually.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,15 @@ There are three ways to create an incident manually:
5454

5555
After onboarding Microsoft Sentinel to the Microsoft Defender portal, manually created incidents aren't synchronized with the Defender portal, though they can still be viewed and managed in Microsoft Sentinel in the Azure portal, and through Logic Apps and the API.
5656

57+
### Permissions
58+
59+
The following roles and permissions are required to manually create an incident.
60+
61+
| Method | Required role |
62+
| ------ | ------------- |
63+
| Azure portal and API | One of the following:<li>[Microsoft Sentinel Responder](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-responder)<li>[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) |
64+
| Azure Logic Apps | One of the above, plus:<li>[Microsoft Sentinel Playbook Operator](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-playbook-operator) to use an existing playbook<li>[Logic App Contributor](/azure/role-based-access-control/built-in-roles/integration#logic-app-contributor) to create a new playbook |
65+
5766
### Create an incident using the Azure portal
5867

5968
1. Select **Microsoft Sentinel** and choose your workspace.
@@ -103,7 +112,7 @@ After onboarding Microsoft Sentinel to the Microsoft Defender portal, manually c
103112

104113
Select the incident in the queue to see its full details, add bookmarks, change its owner and status, and more.
105114

106-
If for some reason you change your mind after the fact about creating the incident, you can [delete it](delete-incident.md) from the queue grid, or from within the incident itself.
115+
If for some reason you change your mind after the fact about creating the incident, you can [delete it](delete-incident.md) from the queue grid, or from within the incident itself. You must have the [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) role in order to delete an incident.
107116

108117
### Create an incident using Azure Logic Apps
109118

0 commit comments

Comments
 (0)