[TR-2958] AWS IAM Account Unlocking

[ljstella]

Pull Request Type

Please check all that apply:

• New playbook
• Bugfix
• Feature add
• Code style update (formatting, renaming)
• Documentation
• Other (please describe):

Release Notes

Replace the following list with release notes that describe the high level components of the PR:

• Feature - Added new playbook for unlocking accounts w/ AWS IAM connector

Playbook quality checklist

Please check if your PR fulfills the following requirements.

Requirements for Settings

• Playbook name is A-Z in Title case with underscores between words. (e.g. MS_Graph_Search_and_Purge)
• Category in Title case with spaces between words (e.g. Identifier Reputation Analysis)
• Description is free of grammatical errors and describe what the playbook does.
• Notes list any setup required on the third-party API as well as intended areas for customization.
• Label is set to '*'

Requirements for all playbooks

• Playbook block count not greater than 15 (not including Start and End blocks).
• No more than 3 branching paths.
• If referencing a custom list, Notes document what the expected values are in that custom list.

Requirements for all playbook blocks

• All blocks have a custom name no more than 4 words, all lowercase, and separated by space (e.g. close workbook task)
• All blocks that support a Notes Tooltip have it filled out. Must be grammatically correct and describes the intended purpose of that block.
• Where custom code is used, block notes indicate presence of custom code (e.g. "This block uses custom code")
• No block is disabled by custom code
• Custom code is documented with notes

Requirements for specific blocks

Action

• Use apps available on Splunkbase
• Use asset names that are the app name, all lowercase separated by underscores (e.g. Azure AD Graph becomes azure_ad_graph)

Utility

• Block is using community version

Playbook

• Block is using local version

Requirements for specific playbooks

Input playbooks

• Start blocks use ocsf variable names and a minimum of one data type per variable name (e.g. device (type: host name))
• Has at least one category tag (e.g. reputation)
• Playbook has a tag for each vendor app used

Other considerations (PR type specific)

• If new playbook, there is a screenshot ending in .png with the same name as the playbook .json
• Playbook major minor version matches repo (e.g. 5.5 != 6.0)
• PR contains both .py and .json

---

Thanks for contributing!

[P4T12ICK]

LGTM

[kelby-shelton]

1. Remove D3-AL tag.
2. Update description to indicate that enabling user reattaches their login profile which requires setting a new password.
3. Filter block tag says "disable_success" instead of "enable_success"

Other than that, looks good.

[patel-bhavin]

The PR was updated with the feedback!