Google Directory - Suspend User

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Sends an adaptive card to the Teams channel where the analyst can choose users to suspend. 3. Suspends users. 4. Adds comment to the incident about suspended users.

Attribute Value
Type Playbook
Solution GoogleDirectory
Source View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: Playbooks/Google-SuspendUser/readme.md

Google-SuspendUser

## Summary Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Sends an adaptive card to the Teams channel where the analyst can choose users to suspend. 3. Suspends users. 4. Adds comment to the incident about suspended users.


Prerequisites

  1. Google Directory Custom API Connector has to be deployed prior to the deployment of this playbook under the same subscription.
  2. Google Directory API credentials are required. Refer to the Google Directory Custom Connector documentation.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here
    • Teams Group Id: Id of the Teams Group where the adaptive card will be posted
    • Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
    • Google Directory Connector Name: Logic App Connector Name

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection. 1. Click the Azure Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for GoogleDirectory and Teams connections.

b. Configurations in Sentinel

  1. In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains Accounts. In the Entity maping section of the analytics rule creation workflow, user email should be mapped to FullName identitfier of the Account entity type. Check the documentation to learn more about mapping entities.
  2. Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to GoogleDirectory