Permission required to reopen matching incident.

syafiq 0 Reputation points
2024-11-29T07:34:15.54+00:00

Hello, i am configuring Analytic Rules in Sentinel and i am trying to perform alert grouping. From my understanding, the alert will only group on open incident. To add alerts into a closed incident, i must have the option “Re-open closed matching incidents”.

However, the option is currently greyed out for me. Checked that i have Security Administrator role and the Sentinel workspace is not connected to Microsoft Defender. What permission am i missing out to enable that option?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,182 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 34,111 Reputation points Microsoft Employee
    2024-12-02T05:41:25.5866667+00:00

    @syafiq Thank you for reaching out to us, review the RBAC permissions defined here - Microsoft Sentinel roles, permissions, and allowed actions as per this table Microsoft Sentinel Responder & Microsoft Sentinel Contributor role should help to achieve the above mentioned ask.

    Reference: https://learn.microsoft.com/en-us/azure/sentinel/roles#role-and-permissions-recommendations:~:text=Microsoft%20Sentinel%20experience.-,Role%20and%20permissions%20recommendations,-After%20understanding%20how

    Let me know if you have any further questions, feel free to post back.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.