Disabling a user account with Azure AD Graph connector
Phishing is the most prevalent cybersecurity threat in today’s digital world. Account compromise and account takeover scenarios are typically the goal of threat actors and security analysts need a mechanism to quickly lock down these compromised accounts. Failure to react quickly could result in data theft, data encryption, or financial fraud.
Prerequisites
SOAR Connector: Azure AD Graph
Solution
The Azure AD Account Locking playbook accepts a username that needs to be disabled in Azure Active Directory using the Azure AD Graph connector. This input playbook generates an observable output based on the status of account locking or disabling. The playbook connects to Azure AD Graph REST API services using the “disable user” action.
This aligns with MITRE D3FEND technique Account Locking in the category of Credential Eviction, which involves the process of temporarily disabling user accounts on a system or domain.
Steps
The following is a guide to configuring Splunk SOAR to connect to Azure AD using the Azure AD Graph app and then implementing the Azure AD Account Locking input playbook in your environment.
Configure Splunk SOAR to connect to Azure AD Graph REST API services
- If not already present in your SOAR instance, install the Azure AD Graph app from Splunkbase.
- From Splunk SOAR, select Apps, Unconfigured Apps, then search for Azure AD Graph and select Configure new asset.
- Configure your Asset Info and Asset Settings accordingly based on your tenant information (for example, see Add and configure apps and assets to provide actions in Splunk SOAR for more information).
- (Optional) On the Asset Info tab, add any Tags you want to use in Playbooks.
It is best practice to copy the out-of-the-box playbooks if any edits will be made in order to preserve the originals.
Copy and configure the Azure AD Account Locking playbook
- From Splunk SOAR, select Playbooks and then edit the Azure AD Account Locking playbook to use the Azure AD Graph connector.
- Search for Azure_AD_Account_Locking and you should see this playbook in the community repository. You can also download it from our GitHub repository.
- Select the box for that playbook and click Copy.
- Select local (or your desired repository) as the source control to save to and then Copy.
- Select the box to the left of the copy of the “Azure AD Account Locking” playbook and choose Edit. Deselect the check next to the original version if still selected.
- (Optional) In the Tags dropdown, select any tags you configured in the Azure AD Graph connector.
Do not set the playbook as active or it will automatically run on all artifacts labeled with those tags.
- In the Category dropdown, select Account Locking, click Save, then Dismiss the confirmation.
- Open the copy of the Azure_AD_Account_Unlocking playbook you created to finish the configuration.
- Search for Azure_AD_Account_Locking and you should see this playbook in the repository you saved the copy to.
- Click the title of the playbook to edit it.
- Within the Visual Playbook Editor (VPE), you should see an alert that says “1 Missing Configuration”. Select the View link.
- In the Available Configurations dropdown menu, select the Azure AD item that you configured earlier, then click Save.
- Click Save in the upper right of the editor, select the appropriate repo, enter a comment describing the changes you made, then click Save.
- Close this browser tab.
Since this is an input playbook, it needs to be added to a new or existing playbook in order to run it. A good example to choose is the Splunk Automated Email Investigation playbook. For more information on this example, see Automating the investigation of emails for malicious content. The Azure_AD_Account_Locking input playbook could be included after the “Who interacted with urls/files” blocks with a condition based on a true positive result of malicious behavior.
Run the parent playbook on any account or user fields present
From a Splunk SOAR investigation (event or case) that has the compromised account present:
- Select the Analyst view.
- Click the Artifacts tab.
- Note the ID of the artifact containing the account you wish to disable, then select Playbook in the upper right.
- In Scope, select Artifact and enter the artifact ID from the previous step.
- In the search field, search for the parent playbook you included the Azure_AD_Account_Locking input playbook within. For example, this might be the Splunk_Automated_Email_Investigation playbook as recommended above.
- Select this playbook and click Run.
- The status of the job will appear in the Activity tab to the left.
- Notes will be added to the investigation with the details of which user's mailboxes this email was removed from.
Resources
Splunk Security Content has many more phishing playbooks based on other vendors' products that can integrate with Splunk SOAR. In addition, the following resources might help you with this use case:
- Splunk EDU video: Implementing SOAR community playbooks
- Splunk Docs: Run a playbook in Splunk SOAR (On-premises)
- Data descriptor: Getting started with Microsoft Teams call record data and Azure Functions
- SOAR app: Azure AD Graph
- Locking playbook: Azure AD Account Locking playbook
- Unlocking playbook: Azure AD Unlocking Account playbook
- Splunk Blog: Phishing scams & attacks: A complete guide
- Lantern article: Automating the investigation of emails for malicious content
- Email investigation playbook: Splunk Automated Email Investigation