GCP-DisableServiceAccountFromTeams

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. 2. Disables Service Account depen

Attribute Value
Type Playbook
Solution GoogleCloudPlatformIAM
Source View on GitHub

Additional Documentation

📄 Source: GCP-DisableServiceAccountFromTeams/readme.md

Summary

When a new sentinel incident is created, this playbook gets triggered and performs the following actions:

  1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken.


  1. Disables Service Account depending on the action chosen in the adaptive card.
  2. Changes incident status and severity depending on the action chosen in the adaptive card.
  3. Adds comment to the incident with information about the actions taken.


Prerequisites

  1. Prior to the deployment of this playbook, GoogleCloudPlatformIAM Connector needs to be deployed under the same subscription.
  2. GCP credentials are required. Refer to the GoogleCloudPlatformIAM Custom Connector documentation.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here
    • Teams Group Id: Id of the Teams Group where the adaptive card will be posted
    • Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Configurations in Sentinel

  1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the gcp_project_id and gcp_service_account custom entities. Check the documentation to learn more about adding custom entities to incidents.
  2. Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to GoogleCloudPlatformIAM