This article leads you through the set up of Red Canary Automate Playbooks that use Azure AD response actions. There are two options when it comes to utilizing Azure AD response actions.
Option 1: Create a new Playbook
Follow these steps to create a new Automate playbook which uses Azure AD response actions.
- From the Red Canary navigation menu, click Automation.
- Click Playbooks.
- Click Create New Playbook.
- Enter a name for your new playbook.
- Click + Add Action.
- Scroll down to the Azure Active Directory section, and select one of the Supported actions:
- Clear Azure AD User Sessions: This logs users out of all services that authenticate with Azure AD, invalidates all of the user’s refresh tokens, and invalidates all session cookies in a user’s browser by resetting the refreshTokenValidFromDateTime user property to the current date-time. The user can still authenticate their Azure account with valid credentials. This action invalidates refresh tokens for any Azure AD user, including Global Admins.
- Suspend Azure AD User: This prevents users from logging in to their Azure account by setting the accountEnabled user property to false. This will suspend any Azure AD user, including Global Admins.
- Un-suspend Azure AD User: This enables a user to log back in to their Azure account by setting the accountEnabled user property to true. You might use this action when a threat is marked as remediated.
- After selecting one of the supported actions, click +Add to Playbook.
- Enter your Azure AD Tenant ID.
- To ensure Red Canary has the appropriate level of access, click the consent link.
- Login to Azure AD.
- Click Accept.
Microsoft Azure
After approving Red Canary’s App registration, you will need to login to your Azure portal and grant our App Registration the Privileged Auth Admin role. Adding the Privileged Auth Admin role will enable Red Canary to suspend and un-suspend privileged users. Learn more about Azure AD built-in roles.
- From your Microsoft Azure homepage, in the search bar, type and then select Azure Active Directory.
- From the Navigation pane, click Roles and administrators.
- In the search bar, type and then select Privileged Authentication Administrator.
- Click on the Active assignments tab.
- Click + Add assignments.
- Click No member selected.
- In the search bar, type and then select Red Canary + Azure AD Response Actions.
- Click Select.
- Click Next >.
- Select Permanently Assigned.
- Enter a justification for personal record keeping.
- Click Assign.
Red Canary
You are now ready to complete the playbook process in Red Canary.
- Select Confirm Microsoft Automate API Access Granted.
- Optional Step: Select how you want to be notified when an alert is generated by selecting Require approval.
Note: Approval is optional for these response actions. When approving the execution of this action, you will specify the appropriate user to target with the response action. - Click Save.
Note: This process will apply to any of the supported actions from Option 1.6.
Option 2: Add Azure AD response actions to an existing playbook
Follow these steps to edit an existing Automate playbook which uses Azure AD response actions.
- From the Red Canary navigation menu, click Automation.
- Click Playbooks.
- Select an existing playbook.
- Click +Add action.
- Follow the steps from Option 1.6 to complete the process.
Respond to generated threats
After an alert is generated, assign an action to that threat.
- From the Red Canary navigation menu, click Threats.
- Select the Azure AD threat you want to respond to.
- Scroll down till you see entries for the Automate Playbook Execution.
- Click on the Execution Details dropdown.
- Click the Select a user drop down, and then select the user you want to take action on.
- You can either click Approve and Continue to enact the playbook action you designed, or you can click Deny and prevent an action from executing.
Comments
0 comments
Please sign in to leave a comment.