Google Directory - Sign Out User
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Signs out users. 3. Adds comment to the incident about signed out users.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | GoogleDirectory |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
GoogleDirectory |
Custom | 1 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
GoogleDirectory (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Sign_Out_User | post | /admin/directory/v1/users/@{encodeURIComponent(outputs('get_user_email'))}/signOut |
— |
Additional Documentation
📄 Source: Playbooks/Google-SignOutUser/readme.md
Google-SignOutUser
Summary
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions:
- Gets users from the incident.
- Signs out users.
- Adds comment to the incident about signed out users.
Prerequisites
- Google Directory Custom API Connector has to be deployed prior to the deployment of this playbook under the same subscription.
- Google Directory API credentials are required. Refer to the Google Directory Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Google Directory Connector Name: Logic App Connector Name
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for GoogleDirectory connector API Connection.
b. Configurations in Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains Accounts. In the Entity maping section of the analytics rule creation workflow, user email should be mapped to FullName identitfier of the Account entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊