Azure Active Directory Identity Protection Playbook?

%3CLINGO-SUB%20id%3D%22lingo-sub-1094948%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094948%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20Azure%20AD%20IP%20enabled%20on%20some%20of%20our%20tenants.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20it's%20possible%20to%20have%20a%20playbook%20run%20on%20these%20types%20of%20alerts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094999%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418279%22%20target%3D%22_blank%22%3E%40leoszalkowski%3C%2FA%3E%26nbsp%3BIf%20you%20are%20referring%20to%20adding%20a%20Playbook%20to%20the%20%22Create%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%22%20alert%20rule%20created%20from%20the%20template%20with%20the%20same%20name%2C%20then%20no%20it%20is%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20rumored%20to%20be%20on%20Microsoft's%20radar%20to%20get%20this%20working%20but%20you%20will%20probably%20be%20better%20off%20handling%20those%20alerts%2C%20and%20others%20that%20fall%20under%20the%20Microsoft%20Security%20rule%20type%2C%20in%20the%20originating%20system%20at%20least%20for%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1183325%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1183325%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20updates%20on%20this%20feature%20being%20added%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1184305%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Active%20Directory%20Identity%20Protection%20Playbook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1184305%22%20slang%3D%22en-US%22%3EIt%20is%20currently%20the%207th%20highest%20idea%20in%20the%20UserVoice%20site%20but%20no%20comments%20on%20it%20from%20Microsoft%3C%2FLINGO-BODY%3E
Contributor

I have the Azure AD IP enabled on some of our tenants. 

 

I was wondering if it's possible to have a playbook run on these types of alerts?

3 Replies

@leoszalkowski If you are referring to adding a Playbook to the "Create incidents based on Azure Active Directory Identity Protection" alert rule created from the template with the same name, then no it is not possible.

 

It is rumored to be on Microsoft's radar to get this working but you will probably be better off handling those alerts, and others that fall under the Microsoft Security rule type, in the originating system at least for now.

 

Is there any updates on this feature being added?

It is currently the 7th highest idea in the UserVoice site but no comments on it from Microsoft