Azure Active Directory Identity Protection Playbook?

%3CLINGO-SUB%20id%3D%22lingo-sub-1094948%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094948%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20Azure%20AD%20IP%20enabled%20on%20some%20of%20our%20tenants.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20it's%20possible%20to%20have%20a%20playbook%20run%20on%20these%20types%20of%20alerts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094999%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418279%22%20target%3D%22_blank%22%3E%40leoszalkowski%3C%2FA%3E%26nbsp%3BIf%20you%20are%20referring%20to%20adding%20a%20Playbook%20to%20the%20%22Create%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%22%20alert%20rule%20created%20from%20the%20template%20with%20the%20same%20name%2C%20then%20no%20it%20is%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20rumored%20to%20be%20on%20Microsoft's%20radar%20to%20get%20this%20working%20but%20you%20will%20probably%20be%20better%20off%20handling%20those%20alerts%2C%20and%20others%20that%20fall%20under%20the%20Microsoft%20Security%20rule%20type%2C%20in%20the%20originating%20system%20at%20least%20for%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1183325%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1183325%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20updates%20on%20this%20feature%20being%20added%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1184305%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1184305%22%20slang%3D%22en-US%22%3EIt%20is%20currently%20the%207th%20highest%20idea%20in%20the%20UserVoice%20site%20but%20no%20comments%20on%20it%20from%20Microsoft%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I have the Azure AD IP enabled on some of our tenants. 

 

I was wondering if it's possible to have a playbook run on these types of alerts?

3 Replies
Highlighted

@leoszalkowski If you are referring to adding a Playbook to the "Create incidents based on Azure Active Directory Identity Protection" alert rule created from the template with the same name, then no it is not possible.

 

It is rumored to be on Microsoft's radar to get this working but you will probably be better off handling those alerts, and others that fall under the Microsoft Security rule type, in the originating system at least for now.

 

Highlighted

Is there any updates on this feature being added?

Highlighted
It is currently the 7th highest idea in the UserVoice site but no comments on it from Microsoft