Identity Protection response from Teams
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Run this playbook on incidents which contains suspicious Microsoft Entra ID identities. For each account, this playbook posts an adaptive card in the SOC Microsoft Teams channel, including the potential risky user information given by Microsoft Entra ID Identity Protection. The card offers to confirm the user as compromised or dismiss the compromised user in Microsoft Entra ID Protection. It also allows to configure the Microsoft Sentinel incident. A summary comment will be posted to document th
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Microsoft Entra ID Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuread |
Managed | 1 | 1 |
azureadip |
Managed | 1 | 5 |
azuresentinel |
Managed | 1 | 5 |
teams |
Managed | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuread (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_user | get | /v1.0/users/@{encodeURIComponent(concat(string(item()?['Name']), '@', string(item()?['UPNSuffix'])))} |
— |
azureadip (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_risky_user | get | /beta/riskyUsers/@{encodeURIComponent(body('Get_user')?['id'])} |
— |
| Confirm_a_risky_user_as_compromised | post | /beta/riskyUsers/confirmCompromised |
— |
| Get_risky_user_2 | get | /beta/riskyUsers/@{encodeURIComponent(body('Get_risky_user')?['id'])} |
— |
| Dismiss_a_risky_user | post | /beta/riskyUsers/dismiss |
— |
| Get_risky_user_3 | get | /beta/riskyUsers/@{encodeURIComponent(body('Get_risky_user')?['id'])} |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Update_incident_2 | put | /Incidents |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
Additional Documentation
Identity Protection - Response from Teams
Author
Lior Tamir, Rahul Kumar
Summary
This playbook is designed to run on incidents containing suspicious Microsoft Entra ID identities. When a new incident is created, the playbook iterates over the accounts and posts an adaptive card in the SOC Microsoft Teams channel. The card includes potential risky user information provided by Microsoft Entra ID Protection and offers options to confirm the user as compromised or dismiss the compromised user in Microsoft Entra ID Protection. Additionally, it allows configuration of the Microsoft Sentinel incident. A summary comment is posted to document the action taken and user information.
For more details, visit the Microsoft Entra ID Protection documentation.
Prerequisites
- Microsoft Entra ID Premium P2 License: Required for Entra ID Protection.
- Permissions on Entra ID Identity Protection API: Ensure the user has the necessary permissions to authorize Playbook connections. Learn more
- Microsoft Teams Team Group Id and Channel ID: Steps to Obtain
- (Optional) Policies: Create policies in Microsoft Entra ID Identity Protection to run when users are confirmed as compromised. Learn more.
Deployment
Quick Deployment
Post Deployment Instructions
Authorize Connections:
- Navigate to the Microsoft Sentinel connection resource in the Azure portal.
- Click "Edit API connection".
- Click "Authorize" and sign in.
- Click "Save".
- Repeat these steps for all connections.
Assign Microsoft Sentinel Responder Role:
- Assign the Microsoft Sentinel Responder role to the playbook's managed identity:
- Select the playbook resource in the Azure portal.
- In the left menu, click "Identity".
- Under "Permissions", click "Azure role assignments".
- Click "Add role assignment".
- Use the drop-down lists to select the resource group containing your Sentinel Workspace.
- In the "Role" drop-down list, select "Microsoft Sentinel Responder".
- Click "Save" to assign the role.
- Assign the Microsoft Sentinel Responder role to the playbook's managed identity:
Attach Playbook to Automation Rule:
- Create an automation rule in Microsoft Sentinel to run the playbook automatically:
- In Microsoft Sentinel, go to "Automation > Automation rules".
- Click "+ Add new" to create a new automation rule.
- Set the rule conditions (e.g., when an alert/incident is created, or based on alert/incident details).
- In the "Actions" section, select "Run playbook" and choose your playbook.
- Save the automation rule.
- Create an automation rule in Microsoft Sentinel to run the playbook automatically:
Steps to Obtain Microsoft Teams Group ID and Channel ID
Obtain the Group ID:
- Open Microsoft Teams and navigate to the desired team.
- Click on the three dots (ellipsis) next to the team name and select "Manage team".
- In the browser, open the Microsoft Graph Explorer tool: Graph Explorer.
- Run the following query to list all teams:
GET https://graph.microsoft.com/v1.0/me/joinedTeams - Locate the desired team in the response and copy its
idfield. This is the Group ID.
Obtain the Channel ID:
- Navigate to the desired channel within the team.
- Click on the three dots (ellipsis) next to the channel name and select "Get link to channel".
- Copy the URL provided. It will look like:
https://teams.microsoft.com/l/channel/<ChannelID>/<ChannelName>?groupId=<GroupID>&tenantId=<TenantID> - Extract the
<ChannelID>from the URL. This is the Channel ID.
Ensure you have the necessary permissions to access Microsoft Graph API and Teams resources.
Screenshots
Overall
Card Sent by Microsoft Teams Bot
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊