Mar 09 2020 09:49 PM
Hi,
I am creating some playbooks and would like to include an action where the user involved in the alert it blocked. I thought this was possible using Sentinel playbooks based on the image in this tutorial.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
I cannot find that action under Azure AD in the connector section. Is this some sort of custom action?
Any help would be greatly appreciated.
Mar 09 2020 10:18 PM - edited Mar 10 2020 05:26 AM
Hi
Have you seen this play book?
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
YOu can deploy it in your own environment
Mar 10 2020 05:17 AM
@Thijs Lecomte Good catch. This specific Playbook is located here: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
You can use that as a template to determine how that step is accomplished or just use it as is.
Mar 10 2020 05:17 AM
@Thijs Lecomte Was there supposed to be a link or attachment in your reply?
Mar 10 2020 05:25 AM