Blocking a user upon suspicious sign-in
In this example, we will block users upon an unknown sign-in detected by our system. This can be for different reasons, but in our example, we will have a use case involving a user signed in from an IP address from our MaliciousIP watchlist.
Before we begin, you will need the following:
- You need to have access to Microsoft Sentinel with appropriate permissions (Microsoft Sentinel Contributor, Logic App Contributor, and permission to assign RBAC controls – Owner or User Access Administrator)
- Global Administrator or User Administrator role permissions in Azure Active Directory (AD)
Creating a playbook
- Enable the Azure AD data connector in Microsoft Sentinel.
- We need an additional user, who we will block.
- We need detection to create an incident on which we will run our playbook.
- We need a playbook with the following attributes:
- Step A – create a...