AS-Revoke-Entra-ID-User-Session-From-Incident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Content Index
This playbook is intended to be run from a Microsoft Sentinel Incident. It will look up Entra ID users associated with the incident account entities and revoke their sessions. A comment noting the affected users will be added to the Incident.
| Attribute |
Value |
| Type |
Playbook |
| Solution |
Standalone Content |
| Source |
View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
Action parameters (URLs, paths, function IDs)
| Action |
Method |
Endpoint |
Other |
| Add_comment_to_incident_(V3) |
post |
/Incidents/Comment |
— |
| Entities_-_Get_Accounts |
post |
/entities/account |
— |
| Action |
Method |
Endpoint |
Other |
| Get_Client_Secret |
get |
[concat('/secrets/@{encodeURIComponent(''', parameters('KeyVaultSecretName'), ''')}/value')] |
— |
http (Built-in)
| Action |
Method |
Endpoint |
Other |
| HTTP_-_Revoke_user_sign_in_sessions |
POST |
https://graph.microsoft.com/v1.0/users/@{variables('UPN')}/revokeSignInSessions |
— |
| HTTP_-_Authenticate |
POST |
[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')] |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks