Lookout-DeviceCompliance-Remediation
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a device compliance or security posture degradation incident is created in Microsoft Sentinel by Lookout, this playbook enriches the incident with a detailed comment covering compliance status, device details, MDM integration context, and recommended remediation steps for the analyst.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Lookout |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 1 Logic App connector / built-in action:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Add_compliance_incident_comment | post | /Incidents/Comment |
— |
Additional Documentation
Overview
This playbook triggers automatically when Microsoft Sentinel creates an incident from the Lookout - Device Compliance and Security Status Changes (v2) analytic rule. It performs three automated actions:
- SOC Notification — Posts a Teams message to the SOC channel with full compliance context: security posture, compliance status, compliance reason, risk score, device platform, MDM integration status, and a link to the Sentinel incident.
- Device Owner Remediation Email — Sends a clear, step-by-step remediation email to the device owner guiding them through restoring compliance: update the OS, ensure Lookout for Work is updated, resolve active threats in the Lookout app, and re-check in. Includes information about corporate resource access impact.
- Incident Enrichment — Adds a structured comment to the incident with full device posture details, MDM integration status, Lookout SDK version, and recommended analyst next steps based on the compliance reason (e.g., no recent check-in may indicate a lost device).
Analytic Rules Supported
| Rule | Severity |
|---|---|
| Lookout - Device Compliance and Security Status Changes (v2) | Medium |
Prerequisites
- A Microsoft Teams team and channel configured for SOC security alerts.
- A Microsoft 365 / Office 365 account authorized to send email.
- The playbook managed identity must be granted the Microsoft Sentinel Responder role on the Log Analytics workspace.
Deployment
Deployment Parameters
| Parameter | Required | Description |
|---|---|---|
| PlaybookName | No | Name of the Logic App (default: Lookout-DeviceCompliance-Remediation) |
| TeamsGroupId | Yes | Microsoft Teams Group (Team) ID for SOC notifications |
| TeamsChannelId | Yes | Microsoft Teams Channel ID for SOC notifications |
Finding your Teams IDs: In Microsoft Teams, right-click the channel → Get link to channel. The URL contains both groupId and the channel ID.
Post-Deployment Configuration
Step 1 — Authorize API Connections
After deployment, navigate to the resource group in the Azure portal and authorize the API connections:
- Open the teams-Lookout-DeviceCompliance-Remediation connection → Edit API connection → Authorize → Save.
- Open the office365-Lookout-DeviceCompliance-Remediation connection → Edit API connection → Authorize → Save.
Step 2 — Assign Sentinel Responder Role
- Navigate to your Microsoft Sentinel workspace → Settings → Workspace settings.
- Select Access control (IAM) → Add role assignment.
- Role: Microsoft Sentinel Responder.
- Assign to: the Logic App's managed identity (
Lookout-DeviceCompliance-Remediation).
Step 3 — Create Automation Rule
- In Microsoft Sentinel, go to Automation → + Create → Automation rule.
- Configure:
- Trigger: When incident is created
- Conditions: Analytics rule name — Contains —
Lookout - Device Compliance and Security Status - Actions: Run playbook →
Lookout-DeviceCompliance-Remediation
- Save the automation rule.
Permissions Summary
| Connection | Auth Method | Permission Required |
|---|---|---|
| Microsoft Sentinel | Managed Identity | Microsoft Sentinel Responder |
| Microsoft Teams | User Account | Channel Post Messages |
| Office 365 | User Account | Send Email |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊