Skip to main content

Required API permissions

Background​

Some skills that will run in autonomous mode with credentials the customer will provide (basic, API key, or application authentication) may require the customer to ensure specific permissions within the tools are enabled for the identity we authenticate as to ensure the skill can run successfully and correctly. This is mostly relevant to API key and application credentials, where our goal is to use API calls to fetch the same data available in the browser version of the skill.

This file contains a list of permissions we already mapped as required for specific skills.

Note: The list of required permissions for each tool may change over time as the browser page the skill opens changes, and new permissions may become required if more types of data are added to the page. It should be used as a basis when asking customers for permissions, but still revalidated each time to ensure it is up to date.

Microsoft Defender​

Note: Permissions to the Entra application to Microsoft Graph must be given as 'application' and not 'delegated' mode

Advanced Hunting​

  • ThreatHunting.Read.All

Extract incident data​

  • SecurityAlert.Read.All
  • SecurityIncident.Read.All

Extract incident alerts​

  • SecurityAlert.Read.All
  • SecurityIncident.Read.All

Extract alert details​

  • SecurityAlert.Read.All
  • SecurityIncident.Read.All
  • ThreatHunting.Read.All

Microsoft Entra​

Note: Permissions to the Entra application to Microsoft Graph must be given as 'application' and not 'delegated' mode

Extract host details​

  • Device.Read.All
  • Group.Read.All

Extract user details​

  • User.Read.All
  • Group.Read.All
  • UserAuthenticationMethod.Read.All
  • Device.Read.All

Extract user audit logs​

  • AuditLog.Read.All

Extract user sign in logs​

  • AuditLog.Read.All
  • Policy.Read.ConditionalAccess

Extract risk detections​

  • IdentityRiskEvent.Read.All

Extract risky sign in details​

  • User.Read.All
  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.Read.All
  • AuditLog.Read.All
  • Policy.Read.ConditionalAccess

Extract risky user details​

  • User.Read.All
  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.Read.All

Revoke user sessions​

  • User.RevokeSessions.All

Update user risk state​

  • IdentityRiskyUser.ReadWrite.All

Microsoft Sentinel​

Note: Roles to Sentinel are granted from Sentinel workspace settings

Extract incident details​

  • Microsoft Sentinel Reader (Role)

Add comment to incident​

  • Microsoft Sentinel Contributor (Role)

Microsoft SharePoint​

Note: Permissions to the Entra application to Microsoft Graph must be given as 'application' and not 'delegated' mode

Upload file​

  • Sites.Read.All
  • Files.ReadWrite.All

Google SecOps (Chronicle)​

Extract case details​

  • VIEW_INCIDENTS
  • VIEW_CASES

Close case​

  • EDIT_INCIDENTS
  • EDIT_CASES

Assign case to analyst​

  • EDIT_INCIDENTS
  • EDIT_CASES

WIZ​

Extract threat details​

  • read:detections
  • read:threat_issues
  • read:threats

Cloud Events​

  • read:cloud_events_cloud
  • read:cloud_events_sensor
  • read:security_scans