Sep 14 2020 07:28 PM
Hi, I have deployed this playbook (https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser) to disable Azure AD user. I have attach this playbook to one of the Analytics rule. The playbook triggers but there is an action to get account related to the alert "Alert - Get accounts", it does not return anything. I am unable to update user account. Is there anyone who use this playbook or any other playbook to disable AAD user account? Please advise, thanks
Sep 15 2020 05:03 AM
@s4secure Did you check to make sure the entities you are passing in includes an account?
BTW, I cannot access the link you pasted for some reason, just get a 404.
Sep 15 2020 08:19 AM
@Gary Bushey His link includes the parentheses at the end which is why you can't access it.
Just make sure that your Analytics Rule actually does produce user accounts as Entities.
BTW: As a best practice, blocking an AAD user is generally something you want to do as part of the investigation. That's a dangerous action to apply to an Analytics Rule. You could lock out the wrong person, or if the logic for the Analytics rule is wrong, lock out your entire domain. Be careful!