aad48299ca
|
||
|---|---|---|
| .. | ||
| images | ||
| azuredeploy.json | ||
| readme.md | ||
readme.md
Identity Protection - Email Response
author: Lior Tamir
This playbook uses Azure Identity Protection features in order to responde to risky users. Attach this playbook to alert creation rules which expects to have entities of type Account attached to. When a new Azure Sentinel alert is created, the playbook iterates over the identities involved in the alert. For each identity, playbook will send to the SOC email address (which is configured when deploying) an informative mail including the Risk history of this user, given by Azure AD Identity Protection. Than it offers an option to confirm this user as compromised, dismiss it from being a risky user or ignore, by one button click.
Note: Azure AD Identity Protection is a premium feature. You need an Azure AD Premium P1 or P2 license to access the riskDetection API (note: P1 licenses receive limited risk information). The riskyUsers API is only available to Azure AD Premium P2 licenses only.
Documentation references: