Skip to Content
AutomationAuto RemediationPlaybooks

Playbooks

Playbooks are predefined automation sequences that respond to specific triggers. Each playbook defines a trigger condition, a set of ordered actions, and notification rules.

Built-in Playbooks

Compromised User Response

Triggers on high-risk sign-in or user risk detection. Status: Active

Actions:

  1. Block user sign-in immediately
  2. Revoke all active sessions
  3. Reset password and require MFA re-registration
  4. Create ticket and notify SOC team

Device Non-Compliance

Triggers when device becomes non-compliant in Intune. Status: Active

Actions:

  1. Send notification to device owner
  2. Force device sync after 4 hours
  3. If still non-compliant after 24h, block access
  4. Create ticket for IT review

Suspicious Mail Rule

Detects inbox rules forwarding to external addresses. Status: Active

Actions:

  1. Disable the suspicious rule immediately
  2. Alert security team
  3. Check for other suspicious activity
  4. Notify user and manager

MFA Not Registered

Users without MFA after registration deadline. Status: Paused

Actions:

  1. Send reminder email with instructions
  2. After 7 days, send final warning
  3. After 14 days, block sign-in until MFA registered

Stale Account Cleanup

Users with no sign-in for 90+ days. Status: Active

Actions:

  1. Notify user’s manager for confirmation
  2. If confirmed inactive, disable account
  3. After 30 days, remove licenses
  4. After 60 days, convert mailbox to shared

Creating Custom Playbooks

Build your own automation workflows:

1. Define Trigger

  • Security alert (Defender, Identity Protection)
  • Compliance drift (Intune, Trust Center)
  • Scheduled (daily, weekly)
  • Manual (on-demand)
  • Webhook (external system)

2. Set Conditions

  • Alert severity (High, Medium, Low)
  • User type (Admin, Guest, Member)
  • Device platform (Windows, macOS, iOS)
  • Tenant/customer selection

3. Configure Actions

  • User actions: Block, reset password, revoke sessions
  • Device actions: Sync, lock, wipe, retire
  • Notification: Email, Teams, Slack, webhook
  • Ticket: Create in PSA, assign to team
  • Wait: Delay next action by specified time

4. Test and Deploy

  • Run in simulation mode first
  • Review what actions would be taken
  • Enable for production with approval gates if needed
Last updated on
Execution HistoryRemediation Dashboard