Create playbooks from scratch to automate assessment and remediation actions.
This task uses the Account Configuration Risk playbook as an example to illustrate how to create user-defined playbooks.
Account Configuration Risk playbooks are created to mitigate accounts with account configuration risks, such as accounts with weak authentication, accounts that increase attack surface risk, and accounts with excessive privilege.
Manual: Manual trigger allows you to start a
playbook by clicking the Run icon ().
Scheduled: Scheduled trigger allows you to schedule a playbook to run daily, weekly, or monthly.
The target is User Accounts by default.
You can add more than one target by using the add node () on the right of the trigger node. The risk
type for each target must be unique.
To enable Security Playbooks to detect account configuration risks and perform response actions on at-risk accounts, grant permission to access your Azure AD data and Active Directory data in Executive Dashboard > Data sources.
Setting |
Description |
---|---|
Condition settings |
|
Action settings |
|
The nodes that can be added by using an add node () vary depending on the preceding
node. For example, an action node can only be possibly followed
by another action node; a condition node can be followed by an
action node or have an else-if condition or else action attached to it.
When a condition is false, the playbook performs the else action or checks if its else-if condition is met. If the else-if condition is met, the playbook continues to perform the corresponding else action.
Multiple action nodes configured in a serial mode are taken sequentially.
The playbook appears on the Playbooks tab in the Security Playbooks app.