Back to Operation

Microsoft Sentinel Responder

Azure Built-in Role

Role Information

Details and metadata

Role ID
3e150937-b8fe-4cfb-8069-0eaf05ecd056
Type
BuiltInRole
Last Updated (Azure)
2024-04-05 15:59:53

Change History

Track all modifications to this role

2024-04-05 15:59:53 Initial Scan
View details 
{
  "properties": {
    "roleName": "Microsoft Sentinel Responder",
    "type": "BuiltInRole",
    "description": "Microsoft Sentinel Responder",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.Insights/workbooks/read",
          "Microsoft.Insights/myworkbooks/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2019-08-28T16:54:07.646Z",
    "updatedOn": "2024-04-05T15:59:53.866Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Microsoft Sentinel Responder",
    "type": "BuiltInRole",
    "description": "Microsoft Sentinel Responder",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.Insights/workbooks/read",
          "Microsoft.Insights/myworkbooks/read",
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2019-08-28T16:54:07.646Z",
    "updatedOn": "2024-04-05T15:59:53.866Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056"
}

Effective Permissions

Operations granted by this role (1022 total)

Permission Patterns (from role definition)

Actions 29 patterns
Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/automationRules/* Microsoft.SecurityInsights/cases/* Microsoft.SecurityInsights/incidents/* Microsoft.SecurityInsights/entities/runPlaybook/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/bulkTag/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/querypacks/*/read Microsoft.Insights/workbooks/read Microsoft.Insights/myworkbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/*
NotActions (excluded)
Microsoft.SecurityInsights/cases/*/Delete Microsoft.SecurityInsights/incidents/*/Delete Microsoft.SecurityInsights/ConfidentialWatchlists/* Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*

Control Plane Operations (1022)

Data Plane Operations (0)

No data plane operations granted