AS-IAM-Master-Playbook

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook is intended to be run from a Microsoft Sentinel incident with account and/or IP entities. It will take the IP and account entities and run four separate playbooks to indicate compromise and revoke access to Okta and Microsoft Entra ID.

Attribute Value
Type Playbook
Solution Standalone Content
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 2
workflow Built-in 0 4
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Entities_-_Get_Accounts post /entities/account
Entities_-_Get_IPs post /entities/ip

workflow (Built-in)

Action Method Endpoint Other
AS-IP-Blocklist-HTTP workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('FirstNestedPlaybook'))]
triggerName=manual
AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTP workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('SecondNestedPlaybook'))]
triggerName=manual
AS-Okta-NetworkZoneUpdate-HTTP workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('ThirdNestedPlaybook'))]
triggerName=manual
AS-Okta-Terminate-User-Sessions-HTTP workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('FourthNestedPlaybook'))]
triggerName=manual

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks