Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Run this playbook on incidents which contains suspiciouse AAD identities. For each account, this playbook posts an adaptive card in the SOC Microsoft Teams channel, including the potential risky user information given by Azure AD Identity Protection. The card offers to confirm the user as compromised or dismiss the compromised user in AADIP. It also allows to configure the Azure Sentinel incident. A summary comment will be posted to document the action taken and user information. [Learn more abo
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Standalone Content |
| Source | View on GitHub |
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureadip |
Managed | 1 | 5 |
azuresentinel |
Managed | 1 | 5 |
teams |
Managed | 1 | 0 |
azureadip (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_risky_user | get | /beta/riskyUsers/@{encodeURIComponent(items('For_each')?['AadUserId'])} |
— |
| Confirm_a_risky_user_as_compromised | post | /beta/riskyUsers/confirmCompromised |
— |
| Get_risky_user_2 | get | /beta/riskyUsers/@{encodeURIComponent(items('For_each')?['AadUserId'])} |
— |
| Dismiss_a_risky_user | post | /beta/riskyUsers/dismiss |
— |
| Get_risky_user_3 | get | /beta/riskyUsers/@{encodeURIComponent(items('For_each')?['AadUserId'])} |
— |
azuresentinel (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Update_incident_2 | put | /Incidents |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊