Skip to main content

Cloud Response - Azure

This Playbook is part of the Azure Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook provides response actions to Azure. The following are available for execution automatically/manually:

  • Resource remediation
    • Delete the instance
    • Power off the instance
  • Identity remediation:
    • Disable the user
    • Delete the user
  • Block indicators


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v3


This playbook does not use any integrations.


  • Set


  • azure-vm-poweroff-instance
  • azure-vm-delete-instance
  • msgraph-user-delete
  • msgraph-user-account-disable

Playbook Inputs#

NameDescriptionDefault ValueRequired
resourceRemediationTypeChoose the remediation type for the instances created.
Poweroff - for shutting down the instances.
Delete - for deleting the instances.
userRemediationTypeChoose the remediation type for the user involved.
Disable - for disabling the user.
Delete - for deleting the user.
autoResourceRemediationWhether to execute the resource remediation flow automatically.FalseOptional
autoUserRemediationWhether to execute the user remediation flow automatically.FalseOptional
autoBlockIndicatorsWhether to block the indicators automatically.FalseOptional
resourceNameThe resource name to take action on.Optional
resourceGroupThe resource group.Optional
usernameThe username to take action on.Optional
sourceIPThe source IP address of the attacker.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cloud Response - Azure