"Block user in Azure AD" playbook action

%3CLINGO-SUB%20id%3D%22lingo-sub-1219104%22%20slang%3D%22en-US%22%3E%22Block%20user%20in%20Azure%20AD%22%20playbook%20action%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219104%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20creating%20some%20playbooks%20and%20would%20like%20to%20include%20an%20action%20where%20the%20user%20involved%20in%20the%20alert%20it%20blocked.%20I%20thought%20this%20was%20possible%20using%20Sentinel%20playbooks%20based%20on%20the%20image%20in%20this%20tutorial.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-respond-threats-playbook%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Sentinel_Block_User.png%22%20style%3D%22width%3A%20504px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176115i8FDFF72BA41B75AC%2Fimage-dimensions%2F504x294%3Fv%3D1.0%22%20width%3D%22504%22%20height%3D%22294%22%20title%3D%22Sentinel_Block_User.png%22%20alt%3D%22Sentinel_Block_User.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20cannot%20find%20that%20action%20under%20Azure%20AD%20in%20the%20connector%20section.%20Is%20this%20some%20sort%20of%20custom%20action%3F%3CBR%20%2F%3EAny%20help%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219670%22%20slang%3D%22en-US%22%3ERe%3A%20%22Block%20user%20in%20Azure%20AD%22%20playbook%20action%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219670%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BGood%20catch.%20This%20specific%20Playbook%20is%20located%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20that%20as%20a%20template%20to%20determine%20how%20that%20step%20is%20accomplished%20or%20just%20use%20it%20as%20is.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219671%22%20slang%3D%22en-US%22%3ERe%3A%20%22Block%20user%20in%20Azure%20AD%22%20playbook%20action%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20Was%20there%20supposed%20to%20be%20a%20link%20or%20attachment%20in%20your%20reply%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219693%22%20slang%3D%22en-US%22%3ERe%3A%20%22Block%20user%20in%20Azure%20AD%22%20playbook%20action%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219693%22%20slang%3D%22en-US%22%3EYes%20indeed.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%20got%20the%20right%20one%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219115%22%20slang%3D%22en-US%22%3ERe%3A%20%22Block%20user%20in%20Azure%20AD%22%20playbook%20action%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219115%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20seen%20this%20play%20book%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser%3C%2FA%3E%3CBR%20%2F%3EYOu%20can%20deploy%20it%20in%20your%20own%20environment%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I am creating some playbooks and would like to include an action where the user involved in the alert it blocked. I thought this was possible using Sentinel playbooks based on the image in this tutorial.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
Sentinel_Block_User.png

I cannot find that action under Azure AD in the connector section. Is this some sort of custom action?
Any help would be greatly appreciated.

4 Replies

Hi

Have you seen this play book?

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser
YOu can deploy it in your own environment

@Thijs Lecomte Good catch. This specific Playbook is located here: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser

 

You can use that as a template to determine how that step is accomplished or just use it as is.

@Thijs Lecomte  Was there supposed to be a link or attachment in your reply? 

Yes indeed. @rodtrent got the right one :)