[TR-2953] Azure AD Account Unlocking

[ljstella]

Pull Request Type

Please check all that apply:

• New playbook
• Bugfix
• Feature add
• Code style update (formatting, renaming)
• Documentation
• Other (please describe):

Release Notes

Replace the following list with release notes that describe the high level components of the PR:

• Feature - Added new playbook for unlocking accounts w/ Azure AD Graph connector

Playbook quality checklist

Please check if your PR fulfills the following requirements.

Requirements for Settings

• Playbook name is A-Z in Title case with underscores between words. (e.g. MS_Graph_Search_and_Purge)
• Category in Title case with spaces between words (e.g. Identifier Reputation Analysis)
• Description is free of grammatical errors and describe what the playbook does.
• Notes list any setup required on the third-party API as well as intended areas for customization.
• Label is set to '*'

Requirements for all playbooks

• Playbook block count not greater than 15 (not including Start and End blocks).
• No more than 3 branching paths.
• If referencing a custom list, Notes document what the expected values are in that custom list.

Requirements for all playbook blocks

• All blocks have a custom name no more than 4 words, all lowercase, and separated by space (e.g. close workbook task)
• All blocks that support a Notes Tooltip have it filled out. Must be grammatically correct and describes the intended purpose of that block.
• Where custom code is used, block notes indicate presence of custom code (e.g. "This block uses custom code")
• No block is disabled by custom code
• Custom code is documented with notes

Requirements for specific blocks

Action

• Use apps available on Splunkbase
• Use asset names that are the app name, all lowercase separated by underscores (e.g. Azure AD Graph becomes azure_ad_graph)

Utility

• Block is using community version

Playbook

• Block is using local version

Requirements for specific playbooks

Input playbooks

• Start blocks use ocsf variable names and a minimum of one data type per variable name (e.g. device (type: host name))
• Has at least one category tag (e.g. reputation)
• Playbook has a tag for each vendor app used

Other considerations (PR type specific)

• If new playbook, there is a screenshot ending in .png with the same name as the playbook .json
• Playbook major minor version matches repo (e.g. 5.5 != 6.0)
• PR contains both .py and .json

---

Thanks for contributing!

[P4T12ICK]

LGTM

[kelby-shelton]

1. Remove the D3-AL tag. We will need to add a new tag once MITRE approves the Restore phase.
2. The description/tooltip for "enable user account" is confusing: "Enable the user attributes for filtered playbook inputs." Can we do something like, "Enables the user accounts provided by the filtered playbook inputs."?
3. The filter label on "filter enable result" says "disabled_success" instead of "enabled_success."

Other than that, Looks good.

[patel-bhavin]

reviewed by Patrick and Kelby