Forum Discussion
KBraun94
Apr 26, 2024Copper Contributor
Sentinel Playbook: Lock suspicious User Account
Hello toghether,
I hope somebody had the same Use case.
In Sentinel I like to run an Playbook which lock an User in the Azure (Cloud) and on Prem (AD), after an Analytic rule has triggerd / found suspicious activity.
Best regards
Kevin
2 Replies
Sort By
- gsingh_Copper ContributorHi,
You can also revoke the user session using this new way using a logic app:
https://techcommunity.microsoft.com/t5/azure-integration-services-blog/using-logic-app-to-revoke-sign-in-session-via-rest-api/ba-p/4111949 - Clive_WatsonBronze ContributorHello,
There is a block user (Entra) example https://github.com/Azure/Azure-Sentinel/tree/3a2c56770d6dcf43028d34c90ae5d00a92200942/Solutions/Microsoft%20Entra%20ID/Playbooks
Here is another example: https://github.com/Azure/Azure-Sentinel/tree/3a2c56770d6dcf43028d34c90ae5d00a92200942/Playbooks/Block-OnPremADUser
Searching for keywords like "lock" in the Github may help you find more, example: https://github.com/search?q=repo%3AAzure%2FAzure-Sentinel%20lock&type=code