Automated Responses

Configure automated response actions for security incidents, compliance violations, and operational events. Build custom playbooks with triggers, conditions, and multi-step action sequences that execute without manual intervention.

Creating Custom Playbooks

Build your own automation workflows in four steps:

1. Define Trigger

Select what event initiates the playbook:

• Security alert — Defender, Identity Protection, or Sentinel alerts
• Compliance drift — Intune non-compliance, Trust Center policy violations
• Scheduled — Daily, weekly, or custom cron schedule
• Manual — On-demand execution from the dashboard
• Webhook — External system triggers via HTTP callback

2. Set Conditions

Narrow when the playbook should fire:

• Alert severity — High, Medium, Low
• User type — Admin, Guest, Member
• Device platform — Windows, macOS, iOS, Android
• Tenant/customer selection — Specific tenants or all managed tenants

3. Configure Actions

Define the response actions to execute:

User Actions

• Block sign-in immediately
• Revoke all active sessions
• Reset password and require MFA re-registration
• Disable account

Device Actions

• Force device sync
• Remote lock device
• Wipe device (factory reset)
• Retire device (remove corporate data)

Notification Actions

• Send email alerts to security team
• Post to Teams channel
• Send Slack notification
• Fire webhook to external system

Ticket Actions

• Create ticket in PSA system
• Assign to specific team or technician
• Set priority based on alert severity

Wait Actions

• Delay next action by specified time
• Wait for condition (e.g., device still non-compliant after 24 hours)

4. Test and Deploy

• Run in simulation mode first to review what actions would be taken
• Review simulation results and adjust conditions or actions
• Enable for production with approval gates if needed

Built-in Response Playbooks

Approval Gates

For sensitive automated responses, require human approval before execution:

• Pause playbook and send approval request via email, Teams, or dashboard
• Set timeout for auto-rejection (default 4 hours) or auto-approval
• Require multiple approvers for critical actions (e.g., account wipe)
• Approval decisions are logged in the audit trail

Response Chaining

Chain multiple responses with conditional logic:

1. Initial action — Low-impact response (send notification)
2. Wait period — Configurable delay (4 hours, 24 hours, 7 days)
3. Condition check — Evaluate if issue persists
4. Escalation action — Higher-impact response (block access, create ticket)
5. Final action — Destructive response if needed (wipe, disable)

Best Practices

• Start with simulation mode — Run playbooks in simulation to review what actions would be taken before enabling live execution
• Use approval gates for destructive actions — Require human confirmation for account disabling, data wiping, or license removal
• Layer your responses — Start with low-impact actions (notifications) and escalate to higher-impact actions (blocking) over time
• Monitor success rates — Track which automated responses succeed and which fail to continually improve reliability

Warning: Destructive actions like wipe and disable cannot be easily reversed. Always use approval gates for high-impact automated responses.

API Reference

• GET /api/automation/playbooks — List all playbooks
• POST /api/automation/playbooks — Create new playbook
• PUT /api/automation/playbooks/:id — Update playbook configuration
• POST /api/automation/playbooks/:id/run — Manually trigger playbook
• POST /api/automation/playbooks/:id/simulate — Run in simulation mode
• POST /api/automation/approvals/:id — Approve or reject pending action