Disabling a user account with Azure AD Graph connector

Configure Splunk SOAR to connect to Azure AD Graph REST API services

1. If not already present in your SOAR instance, install the Azure AD Graph app from Splunkbase.
2. From Splunk SOAR, select Apps, Unconfigured Apps, then search for Azure AD Graph and select Configure new asset.
   1. Configure your Asset Info and Asset Settings accordingly based on your tenant information (for example, see Add and configure apps and assets to provide actions in Splunk SOAR for more information).
   2. (Optional) On the Asset Info tab, add any Tags you want to use in Playbooks.

Copy and configure the Azure AD Account Locking playbook

1. From Splunk SOAR, select Playbooks and then edit the Azure AD Account Locking playbook to use the Azure AD Graph connector.
   1. Search for Azure_AD_Account_Locking and you should see this playbook in the community repository. You can also download it from our GitHub repository.
   2. Select the box for that playbook and click Copy.
   3. Select local (or your desired repository) as the source control to save to and then Copy.
   4. Select the box to the left of the copy of the “Azure AD Account Locking” playbook and choose Edit. Deselect the check next to the original version if still selected.
   5. (Optional) In the Tags dropdown, select any tags you configured in the Azure AD Graph connector.
      Do not set the playbook as active or it will automatically run on all artifacts labeled with those tags.
   6. In the Category dropdown, select Account Locking, click Save, then Dismiss the confirmation.
2. Open the copy of the Azure_AD_Account_Unlocking playbook you created to finish the configuration.
   1. Search for Azure_AD_Account_Locking and you should see this playbook in the repository you saved the copy to.
   2. Click the title of the playbook to edit it.
   3. Within the Visual Playbook Editor (VPE), you should see an alert that says “1 Missing Configuration”. Select the View link.
   4. In the Available Configurations dropdown menu, select the Azure AD item that you configured earlier, then click Save.
   5. Click Save in the upper right of the editor, select the appropriate repo, enter a comment describing the changes you made, then click Save.
   6. Close this browser tab.

Since this is an input playbook, it needs to be added to a new or existing playbook in order to run it. A good example to choose is the Splunk Automated Email Investigation playbook. For more information on this example, see Automating the investigation of emails for malicious content. The Azure_AD_Account_Locking input playbook could be included after the “Who interacted with urls/files” blocks with a condition based on a true positive result of malicious behavior.

Run the parent playbook on any account or user fields present

From a Splunk SOAR investigation (event or case) that has the compromised account present:

1. Select the Analyst view.
2. Click the Artifacts tab.
3. Note the ID of the artifact containing the account you wish to disable, then select Playbook in the upper right.
4. In Scope, select Artifact and enter the artifact ID from the previous step.
5. In the search field, search for the parent playbook you included the Azure_AD_Account_Locking input playbook within. For example, this might be the Splunk_Automated_Email_Investigation playbook as recommended above.
6. Select this playbook and click Run.
7. The status of the job will appear in the Activity tab to the left.
8. Notes will be added to the investigation with the details of which user's mailboxes this email was removed from.