First Azure AD PowerShell operation for a user

Supported Cortex XSOAR versions: 8.9.0 and later.

This playbook addresses the following alert:

Playbook Stages:

Triage:

Investigation:

Check for Azure Alerts:
- Extract recent Azure security alerts for the user.
Check if User is Risky:
- Assess the user's risk score based on Core and Azure risk indicators.
- Investigate reasons behind any identified risks, including recent detections.
Investigate user data:
- Check the user creation date to asses if the user is new.
- Check the role of the user.

Containment:

The playbook checks if soft remediation is needed, if yes, it will check if the integration "Microsoft Graph User" is enabled, the playbook will revoke the sessions of the user.
The playbook checks if hard remediation is needed, if yes, a manual task will be displayed for an analyst to review the findings and decide the next steps.
Possible actions:
- Disable the user.
- Take no action.

Requirements: For the best results, it's recommended to ensure these integrations are configured and working:

Cortex Core - Investigation and Response for Core user risk evaluation.
Azure Risky Users for retrieving user risk scores.
Microsoft 365 Defender for advanced hunting queries and Azure security alerts.
Microsoft Graph User is used to disable user and revoke session.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

This playbook does not use any sub-playbooks.

This playbook does not use any integrations.

There are no inputs for this playbook.

There are no outputs for this playbook.

First Azure AD PowerShell operation for a user