Sentinel Playbook "Alert - Get account" action does not return any account related to Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-1666870%22%20slang%3D%22en-US%22%3ESentinel%20Playbook%20%22Alert%20-%20Get%20account%22%20action%20does%20not%20return%20any%20account%20related%20to%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1666870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20deployed%20this%20playbook%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FBlock-AADUser)%3C%2FA%3E%26nbsp%3Bto%20disable%20Azure%20AD%20user.%20I%20have%20attach%20this%20playbook%20to%20one%20of%20the%20Analytics%20rule.%20The%20playbook%20triggers%20but%20there%20is%20an%20action%20to%20get%20account%20related%20to%20the%20alert%20%22Alert%20-%20Get%20accounts%22%2C%20it%20does%20not%20return%20anything.%20I%20am%20unable%20to%20update%20user%20account.%20Is%20there%20anyone%20who%20use%20this%20playbook%20or%20any%20other%20playbook%20to%20disable%20AAD%20user%20account%3F%20Please%20advise%2C%20thanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1668270%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20Playbook%20%22Alert%20-%20Get%20account%22%20action%20does%20not%20return%20any%20account%20related%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1668270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F694573%22%20target%3D%22_blank%22%3E%40s4secure%3C%2FA%3E%26nbsp%3BDid%20you%20check%20to%20make%20sure%20the%20entities%20you%20are%20passing%20in%20includes%20an%20account%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20I%20cannot%20access%20the%20link%20you%20pasted%20for%20some%20reason%2C%20just%20get%20a%20404.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1669152%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20Playbook%20%22Alert%20-%20Get%20account%22%20action%20does%20not%20return%20any%20account%20related%20to%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1669152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BHis%20link%20includes%20the%20parentheses%20at%20the%20end%20which%20is%20why%20you%20can't%20access%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20make%20sure%20that%20your%20Analytics%20Rule%20actually%20does%20produce%20user%20accounts%20as%20Entities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBTW%3A%20As%20a%20best%20practice%2C%20blocking%20an%20AAD%20user%20is%20generally%20something%20you%20want%20to%20do%20as%20part%20of%20the%20investigation.%20That's%20a%20dangerous%20action%20to%20apply%20to%20an%20Analytics%20Rule.%20You%20could%20lock%20out%20the%20wrong%20person%2C%20or%20if%20the%20logic%20for%20the%20Analytics%20rule%20is%20wrong%2C%20lock%20out%20your%20entire%20domain.%20Be%20careful!%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, I have deployed this playbook (https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser) to disable Azure AD user. I have attach this playbook to one of the Analytics rule. The playbook triggers but there is an action to get account related to the alert "Alert - Get accounts", it does not return anything. I am unable to update user account. Is there anyone who use this playbook or any other playbook to disable AAD user account? Please advise, thanks 

2 Replies

@s4secure Did you check to make sure the entities you are passing in includes an account?   

 

BTW, I cannot access the link you pasted for some reason, just get a 404.

@Gary Bushey His link includes the parentheses at the end which is why you can't access it.

 

Just make sure that your Analytics Rule actually does produce user accounts as Entities.

 

BTW: As a best practice, blocking an AAD user is generally something you want to do as part of the investigation. That's a dangerous action to apply to an Analytics Rule. You could lock out the wrong person, or if the logic for the Analytics rule is wrong, lock out your entire domain. Be careful!