История

Lior Tamir 41b497012a Last update time equal to pp start time All templates that appear from day 1 will be affected. Next templates will be uploaded with new times of upload		2021-07-15 18:37:10 +03:00
..
images	Update AADIP playbook for gallery and post new instructions for playbooks contribution	2021-05-25 13:14:50 +03:00
azuredeploy.json	Last update time equal to pp start time	2021-07-15 18:37:10 +03:00
readme.md	Updating Deploy buttons and links part 1	2021-06-16 00:25:40 +00:00

readme.md

Identity Protection - response from Teams

author: Lior Tamir

Run this playbook on incidents which contains suspiciouse AAD identities. When a new incident is created, this playbook iterates over the Accounts. It then posts an adaptive card in the SOC Microsoft Teams channel, including the potential risky user information given by Azure AD Identity Protection. The card offers to confirm the user as compromised or dismiss the compromised user in AADIP. It also allows to configure the Azure Sentinel incident. A summary comment will be posted to document the action taken and user information. Learn more about Azure AD Identity Protection

Prerequisites

Using the riskyUsers API requires an Azure AD Premium P2 license.
Have a user which has permissions on Identity Protection API. Learn more
(optional) Create policies in Azure AD Identity protection to run when users are confirmed as compromised. Learn more

Overall:

Card to be sent by Microsoft Teams bot:

Response Part:

Documentation references:

Azure AD Identity Protection:

Learn more about Identity Protection