diff --git a/playbooks/Active_Directory_Enable_Account_Dispatch.json b/playbooks/Active_Directory_Enable_Account_Dispatch.json new file mode 100644 index 0000000000..7bb69e8919 --- /dev/null +++ b/playbooks/Active_Directory_Enable_Account_Dispatch.json @@ -0,0 +1,615 @@ +{ + "blockly": false, + "blockly_xml": "", + "category": "Enable Account", + "coa": { + "data": { + "description": "Accepts user name that needs to be enabled in Active Directory. Generates a report and observable output based on the status of account unlocking or enabling.", + "edges": [ + { + "id": "port_3_to_port_7", + "sourceNode": "3", + "sourcePort": "3_out", + "targetNode": "7", + "targetPort": "7_in" + }, + { + "conditions": [ + { + "index": 1 + } + ], + "id": "port_7_to_port_9", + "sourceNode": "7", + "sourcePort": "7_out", + "targetNode": "9", + "targetPort": "9_in" + }, + { + "id": "port_8_to_port_10", + "sourceNode": "8", + "sourcePort": "8_out", + "targetNode": "10", + "targetPort": "10_in" + }, + { + "id": "port_10_to_port_11", + "sourceNode": "10", + "sourcePort": "10_out", + "targetNode": "11", + "targetPort": "11_in" + }, + { + "id": "port_11_to_port_12", + "sourceNode": "11", + "sourcePort": "11_out", + "targetNode": "12", + "targetPort": "12_in" + }, + { + "id": "port_12_to_port_1", + "sourceNode": "12", + "sourcePort": "12_out", + "targetNode": "1", + "targetPort": "1_in" + }, + { + "id": "port_0_to_port_3", + "sourceNode": "0", + "sourcePort": "0_out", + "targetNode": "3", + "targetPort": "3_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_7_to_port_13", + "sourceNode": "7", + "sourcePort": "7_out", + "targetNode": "13", + "targetPort": "13_in" + }, + { + "conditions": [ + { + "index": 0 + } + ], + "id": "port_13_to_port_8", + "sourceNode": "13", + "sourcePort": "13_out", + "targetNode": "8", + "targetPort": "8_in" + } + ], + "hash": "fa3bf5509d648eac79a36ba25378f72cbb49a684", + "nodes": { + "0": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_start", + "id": "0", + "type": "start" + }, + "errors": {}, + "id": "0", + "type": "start", + "warnings": {}, + "x": 160, + "y": -1.2789769243681803e-13 + }, + "1": { + "data": { + "advanced": { + "join": [] + }, + "functionName": "on_finish", + "id": "1", + "type": "end" + }, + "errors": {}, + "id": "1", + "type": "end", + "warnings": {}, + "x": 300, + "y": 1398 + }, + "10": { + "data": { + "advanced": { + "customName": "merge report", + "customNameId": 0, + "description": "summary report for all disable account input playbooks.", + "join": [], + "note": "summary report for all disable account input playbooks." + }, + "functionId": 1, + "functionName": "merge_report", + "id": "10", + "parameters": [ + "normalized_observable_filter:custom_function:observable_merge_report" + ], + "template": "SOAR attempted to unlock account(s). The table below shows a summary of the information gathered.\\n\\n\n| Value | Type | Message | Status |\n| --- | --- | --- | --- |\n%%\n| {0} \n%%\n", + "type": "format" + }, + "errors": {}, + "id": "10", + "type": "format", + "userCode": "\n # Write your custom code here...\n #phantom.debug(phantom.format(container=container, template=template, parameters=parameters, name=\"merge_report\"))\n", + "warnings": {}, + "x": 280, + "y": 864 + }, + "11": { + "data": { + "advanced": { + "customName": "tag indicators", + "customNameId": 0, + "description": "adding indicator tag for each disabled account.", + "join": [], + "note": "adding indicator tag for each disabled account." + }, + "customFunction": { + "draftMode": false, + "name": "indicator_tag", + "repoName": "community" + }, + "functionId": 3, + "functionName": "tag_indicators", + "id": "11", + "selectMore": false, + "tab": "customFunctions", + "type": "utility", + "utilities": { + "indicator_tag": { + "description": "Tag an existing indicator record. Tags can be overwritten or appended.", + "fields": [ + { + "dataTypes": [ + "*" + ], + "description": "Specifies the indicator which the tag will be added to. Supports a string indicator value or an indicator id.", + "inputType": "item", + "label": "indicator", + "name": "indicator", + "placeholder": "my_indicator", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "*" + ], + "description": "Comma separated list of tags. Tags should only contain characters Aa-Zz, 0-9, '-', and '_'.", + "inputType": "item", + "label": "tags", + "name": "tags", + "placeholder": "tag1,tag2,...,tagk", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [], + "description": "Either True or False with default as False. If set to True, existing tags on the indicator record will be replaced by the provided input. If set to False, the new tags will be appended to the existing indicator tags.", + "inputType": "item", + "label": "overwrite", + "name": "overwrite", + "placeholder": "False", + "renderType": "datapath", + "required": false + } + ], + "label": "indicator_tag", + "name": "indicator_tag" + } + }, + "utilityType": "custom_function", + "values": { + "indicator_tag": { + "indicator": "normalized_observable_filter:custom_function:observable_value", + "overwrite": null, + "tags": "normalized_observable_filter:custom_function:observable_type" + } + } + }, + "errors": {}, + "id": "11", + "type": "utility", + "warnings": {}, + "x": 280, + "y": 1042 + }, + "12": { + "data": { + "advanced": { + "customName": "update workbook task", + "customNameId": 0, + "description": "update workbook task of this dispatch playbook", + "join": [], + "note": "update workbook task of this dispatch playbook" + }, + "customFunction": { + "draftMode": false, + "name": "workbook_task_update", + "repoName": "community" + }, + "functionId": 4, + "functionName": "update_workbook_task", + "id": "12", + "selectMore": false, + "type": "utility", + "utilities": { + "workbook_task_update": { + "description": "Update a workbook task by task name or the task where the currently running playbook appears. Requires a task_name, container_id, and a note_title, note_content, owner, or status.", + "fields": [ + { + "dataTypes": [ + "*" + ], + "description": "Name of a workbook task or keyword 'playbook' to update the task where the currently running playbook appears. (Required)", + "inputType": "item", + "label": "task_name", + "name": "task_name", + "placeholder": "my_task", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "*" + ], + "description": "Note title. (Optional)", + "inputType": "item", + "label": "note_title", + "name": "note_title", + "placeholder": "My Title", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "*" + ], + "description": "Note content. (Optional)", + "inputType": "item", + "label": "note_content", + "name": "note_content", + "placeholder": "My notes", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "*" + ], + "description": "Accepts 'incomplete', 'in_progress, or 'complete'. (Optional)", + "inputType": "item", + "label": "status", + "name": "status", + "placeholder": "in_progress", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "*" + ], + "description": "A user to assign as the task owner or keyword 'current\" to assign the task to the user that launched the playbook. (Optional)", + "inputType": "item", + "label": "owner", + "name": "owner", + "placeholder": "username", + "renderType": "datapath", + "required": false + }, + { + "dataTypes": [ + "phantom container id" + ], + "description": "The ID of a SOAR Container. (Required)", + "inputType": "item", + "label": "container", + "name": "container", + "placeholder": "container:id", + "renderType": "datapath", + "required": false + } + ], + "label": "workbook_task_update", + "name": "workbook_task_update" + } + }, + "utilityType": "custom_function", + "values": { + "comment": { + "_internal": [ + "container", + "author", + "trace" + ], + "comment": "Observable output of input playbooks does not exist." + }, + "workbook_task_update": { + "container": "container:id", + "note_content": "merge_report:formatted_data", + "note_title": "AD Enable Account Report", + "owner": null, + "status": "complete", + "task_name": "playbook" + } + } + }, + "errors": {}, + "id": "12", + "type": "utility", + "warnings": {}, + "x": 280, + "y": 1220 + }, + "13": { + "data": { + "advanced": { + "customName": "observable filter ", + "customNameId": 0, + "description": "Filter to check if observable output is successfully generated or not.", + "join": [], + "note": "Filter to check if observable output is successfully generated or not." + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "!=", + "param": "dispatch_account_enable:playbook_output:observable", + "value": "" + } + ], + "conditionIndex": 0, + "customName": "Successful observables", + "logic": "and" + } + ], + "functionId": 1, + "functionName": "observable_filter", + "id": "13", + "type": "filter" + }, + "errors": {}, + "id": "13", + "type": "filter", + "warnings": {}, + "x": 340, + "y": 480 + }, + "3": { + "data": { + "advanced": { + "customName": "dispatch account enable", + "customNameId": 0, + "join": [] + }, + "functionId": 1, + "functionName": "dispatch_account_enable", + "id": "3", + "inputs": { + "artifact_ids_include": { + "datapaths": [], + "deduplicate": false + }, + "indicator_tags_exclude": { + "datapaths": [], + "deduplicate": false + }, + "indicator_tags_include": { + "datapaths": [], + "deduplicate": false + }, + "playbook_repo": { + "datapaths": [], + "deduplicate": false + }, + "playbook_tags": { + "datapaths": [ + "enable_account", + "active_directory" + ], + "deduplicate": false + } + }, + "playbookName": "dispatch_input_playbooks", + "playbookRepo": 1, + "playbookRepoName": "community", + "playbookType": "data", + "synchronous": true, + "type": "playbook" + }, + "errors": {}, + "id": "3", + "type": "playbook", + "warnings": {}, + "x": 140, + "y": 140 + }, + "7": { + "data": { + "advanced": { + "case_sensitive": false, + "customName": "observable output decision", + "customNameId": 0, + "delimiter": ",", + "delimiter_enabled": false, + "description": "Decision to check if observable output is successfully generated or not.", + "join": [], + "notRequiredJoins": [], + "note": "Decision to check if observable output is successfully generated or not." + }, + "conditions": [ + { + "comparisons": [ + { + "conditionIndex": 0, + "op": "!=", + "param": "dispatch_account_enable:playbook_output:observable", + "value": "" + } + ], + "conditionIndex": 0, + "customName": "observable_exist", + "display": "If", + "logic": "and", + "type": "if" + }, + { + "comparisons": [ + { + "conditionIndex": 1, + "op": "==", + "param": "", + "value": "" + } + ], + "conditionIndex": 1, + "customName": "observable_not_exist", + "display": "Else", + "logic": "and", + "type": "else" + } + ], + "functionId": 2, + "functionName": "observable_output_decision", + "id": "7", + "type": "decision" + }, + "errors": {}, + "id": "7", + "type": "decision", + "warnings": {}, + "x": 220, + "y": 300 + }, + "8": { + "data": { + "advanced": { + "customName": "normalized observable filter", + "customNameId": 0, + "description": "This block uses custom code for normalizing observable result of input playbooks tag as disable_account. The normalized output will be used in merging 4 different types of disable_account used to locked users in active directory.", + "join": [], + "note": "This block uses custom code for normalizing observable result of input playbooks tag as disable_account. The normalized output will be used in merging 4 different types of disable_account used to locked users in active directory." + }, + "functionId": 1, + "functionName": "normalized_observable_filter", + "id": "8", + "inputParameters": [ + "filtered-data:observable_filter:condition_1:dispatch_account_enable:playbook_output:observable" + ], + "outputVariables": [ + "observable_value", + "observable_type", + "observable_merge_report" + ], + "type": "code" + }, + "errors": {}, + "id": "8", + "type": "code", + "userCode": "\n # Write your custom code here...\n normalized_observable_filter__observable_message = []\n normalized_observable_filter__observable_value = []\n normalized_observable_filter__observable_merge_report = []\n fmt_output = \"\"\n output_observable_values = [(i or \"\") for i in filtered_output_0_dispatch_account_enable_output_observable_values]\n \n phantom.debug(\"output_observable_values: {}\".format(output_observable_values))\n for observable_item in output_observable_values:\n if observable_item['status'] == \"success\":\n user_name = observable_item['value'].split(\"@\")[0]\n normalized_observable_filter__observable_value.append(user_name)\n fmt_output += \"{} | {} | {} | {} | \\n\".format(observable_item['value'], observable_item['type'], observable_item['message'], observable_item['status'])\n normalized_observable_filter__observable_merge_report.append(fmt_output)\n normalized_observable_filter__observable_value = normalized_observable_filter__observable_value[0]\n normalized_observable_filter__observable_type = \"Enable Account\"\n phantom.debug(normalized_observable_filter__observable_merge_report)\n", + "warnings": {}, + "x": 280, + "y": 680 + }, + "9": { + "data": { + "advanced": { + "customName": "observable check comment", + "customNameId": 0, + "description": "observable output of input playbooks not exits.", + "join": [], + "note": "observable output of input playbooks not exits." + }, + "functionId": 2, + "functionName": "observable_check_comment", + "id": "9", + "selectMore": false, + "tab": "apis", + "type": "utility", + "utilities": { + "comment": { + "description": "", + "fields": [ + { + "description": "", + "label": "comment", + "name": "comment", + "placeholder": "Enter a comment", + "renderType": "datapath", + "required": true + }, + { + "hidden": true, + "name": "container", + "required": false + }, + { + "hidden": true, + "name": "author", + "required": false + }, + { + "hidden": true, + "name": "trace", + "required": false + } + ], + "label": "add comment", + "name": "comment" + } + }, + "utilityType": "api", + "values": { + "comment": { + "_internal": [ + "container", + "author", + "trace" + ], + "comment": "Observable output of input playbooks does not exist." + } + } + }, + "errors": {}, + "id": "9", + "type": "utility", + "warnings": {}, + "x": -180, + "y": 500 + } + }, + "notes": "Inputs: users\nActions: Account Unlocking/Enabling\nOutputs: reports, observables" + }, + "input_spec": null, + "output_spec": null, + "playbook_type": "automation", + "python_version": "3", + "schema": "5.0.10", + "version": "6.0.1.123902" + }, + "create_time": "2023-08-14T15:39:14.219920+00:00", + "draft_mode": false, + "labels": [ + "*" + ], + "tags": [ + "user", + "azure_ad_graph", + "microsoft_ad_ldap", + "enable_account", + "D3-RUAA", + "active_directory" + ] +} \ No newline at end of file diff --git a/playbooks/Active_Directory_Enable_Account_Dispatch.png b/playbooks/Active_Directory_Enable_Account_Dispatch.png new file mode 100644 index 0000000000..a9a15fd3b0 Binary files /dev/null and b/playbooks/Active_Directory_Enable_Account_Dispatch.png differ diff --git a/playbooks/Active_Directory_Enable_Account_Dispatch.py b/playbooks/Active_Directory_Enable_Account_Dispatch.py new file mode 100644 index 0000000000..31313f5dbc --- /dev/null +++ b/playbooks/Active_Directory_Enable_Account_Dispatch.py @@ -0,0 +1,294 @@ +""" +Accepts user name that needs to be enabled in Active Directory. Generates a report and observable output based on the status of account unlocking or enabling. +""" + + +import phantom.rules as phantom +import json +from datetime import datetime, timedelta + + +@phantom.playbook_block() +def on_start(container): + phantom.debug('on_start() called') + + # call 'dispatch_account_enable' block + dispatch_account_enable(container=container) + + return + +@phantom.playbook_block() +def dispatch_account_enable(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("dispatch_account_enable() called") + + playbook_tags_combined_value = phantom.concatenate("enable_account", "active_directory") + + inputs = { + "playbook_repo": [], + "playbook_tags": playbook_tags_combined_value, + "artifact_ids_include": [], + "indicator_tags_exclude": [], + "indicator_tags_include": [], + } + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + # call playbook "community/dispatch_input_playbooks", returns the playbook_run_id + playbook_run_id = phantom.playbook("community/dispatch_input_playbooks", container=container, name="dispatch_account_enable", callback=observable_output_decision, inputs=inputs) + + return + + +@phantom.playbook_block() +def observable_output_decision(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("observable_output_decision() called") + + ################################################################################ + # Decision to check if observable output is successfully generated or not. + ################################################################################ + + # check for 'if' condition 1 + found_match_1 = phantom.decision( + container=container, + conditions=[ + ["dispatch_account_enable:playbook_output:observable", "!=", ""] + ], + case_sensitive=False, + delimiter=None) + + # call connected blocks if condition 1 matched + if found_match_1: + observable_filter(action=action, success=success, container=container, results=results, handle=handle) + return + + # check for 'else' condition 2 + observable_check_comment(action=action, success=success, container=container, results=results, handle=handle) + + return + + +@phantom.playbook_block() +def normalized_observable_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("normalized_observable_filter() called") + + ################################################################################ + # This block uses custom code for normalizing observable result of input playbooks + # tag as disable_account. The normalized output will be used in merging 4 different + # types of disable_account used to locked users in active directory. + ################################################################################ + + filtered_output_0_dispatch_account_enable_output_observable = phantom.collect2(container=container, datapath=["filtered-data:observable_filter:condition_1:dispatch_account_enable:playbook_output:observable"]) + + filtered_output_0_dispatch_account_enable_output_observable_values = [item[0] for item in filtered_output_0_dispatch_account_enable_output_observable] + + normalized_observable_filter__observable_value = None + normalized_observable_filter__observable_type = None + normalized_observable_filter__observable_merge_report = None + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + normalized_observable_filter__observable_message = [] + normalized_observable_filter__observable_value = [] + normalized_observable_filter__observable_merge_report = [] + fmt_output = "" + output_observable_values = [(i or "") for i in filtered_output_0_dispatch_account_enable_output_observable_values] + + phantom.debug("output_observable_values: {}".format(output_observable_values)) + for observable_item in output_observable_values: + if observable_item['status'] == "success": + user_name = observable_item['value'].split("@")[0] + normalized_observable_filter__observable_value.append(user_name) + fmt_output += "{} | {} | {} | {} | \n".format(observable_item['value'], observable_item['type'], observable_item['message'], observable_item['status']) + normalized_observable_filter__observable_merge_report.append(fmt_output) + normalized_observable_filter__observable_value = normalized_observable_filter__observable_value[0] + normalized_observable_filter__observable_type = "Enable Account" + phantom.debug(normalized_observable_filter__observable_merge_report) + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.save_run_data(key="normalized_observable_filter:observable_value", value=json.dumps(normalized_observable_filter__observable_value)) + phantom.save_run_data(key="normalized_observable_filter:observable_type", value=json.dumps(normalized_observable_filter__observable_type)) + phantom.save_run_data(key="normalized_observable_filter:observable_merge_report", value=json.dumps(normalized_observable_filter__observable_merge_report)) + + merge_report(container=container) + + return + + +@phantom.playbook_block() +def observable_check_comment(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("observable_check_comment() called") + + ################################################################################ + # observable output of input playbooks not exits. + ################################################################################ + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.comment(container=container, comment="Observable output of input playbooks does not exist.") + + return + + +@phantom.playbook_block() +def merge_report(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("merge_report() called") + + ################################################################################ + # summary report for all disable account input playbooks. + ################################################################################ + + template = """SOAR attempted to unlock account(s). The table below shows a summary of the information gathered.\\n\\n\n| Value | Type | Message | Status |\n| --- | --- | --- | --- |\n%%\n| {0} \n%%\n""" + + # parameter list for template variable replacement + parameters = [ + "normalized_observable_filter:custom_function:observable_merge_report" + ] + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + #phantom.debug(phantom.format(container=container, template=template, parameters=parameters, name="merge_report")) + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.format(container=container, template=template, parameters=parameters, name="merge_report") + + tag_indicators(container=container) + + return + + +@phantom.playbook_block() +def tag_indicators(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("tag_indicators() called") + + ################################################################################ + # adding indicator tag for each disabled account. + ################################################################################ + + normalized_observable_filter__observable_type = json.loads(_ if (_ := phantom.get_run_data(key="normalized_observable_filter:observable_type")) != "" else "null") # pylint: disable=used-before-assignment + normalized_observable_filter__observable_value = json.loads(_ if (_ := phantom.get_run_data(key="normalized_observable_filter:observable_value")) != "" else "null") # pylint: disable=used-before-assignment + + parameters = [] + + parameters.append({ + "tags": normalized_observable_filter__observable_type, + "indicator": normalized_observable_filter__observable_value, + "overwrite": None, + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.custom_function(custom_function="community/indicator_tag", parameters=parameters, name="tag_indicators", callback=update_workbook_task) + + return + + +@phantom.playbook_block() +def update_workbook_task(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("update_workbook_task() called") + + ################################################################################ + # update workbook task of this dispatch playbook + ################################################################################ + + id_value = container.get("id", None) + merge_report = phantom.get_format_data(name="merge_report") + + parameters = [] + + parameters.append({ + "owner": None, + "status": "complete", + "container": id_value, + "task_name": "playbook", + "note_title": "AD Enable Account Report", + "note_content": merge_report, + }) + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + phantom.custom_function(custom_function="community/workbook_task_update", parameters=parameters, name="update_workbook_task") + + return + + +@phantom.playbook_block() +def observable_filter(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): + phantom.debug("observable_filter() called") + + ################################################################################ + # Filter to check if observable output is successfully generated or not. + ################################################################################ + + # collect filtered artifact ids and results for 'if' condition 1 + matched_artifacts_1, matched_results_1 = phantom.condition( + container=container, + conditions=[ + ["dispatch_account_enable:playbook_output:observable", "!=", ""] + ], + name="observable_filter:condition_1", + delimiter=None) + + # call connected blocks if filtered artifacts or results + if matched_artifacts_1 or matched_results_1: + normalized_observable_filter(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1) + + return + + +@phantom.playbook_block() +def on_finish(container, summary): + phantom.debug("on_finish() called") + + ################################################################################ + ## Custom Code Start + ################################################################################ + + # Write your custom code here... + + ################################################################################ + ## Custom Code End + ################################################################################ + + return \ No newline at end of file diff --git a/playbooks/Active_Directory_Enable_Account_Dispatch.yml b/playbooks/Active_Directory_Enable_Account_Dispatch.yml new file mode 100644 index 0000000000..ae22904cc6 --- /dev/null +++ b/playbooks/Active_Directory_Enable_Account_Dispatch.yml @@ -0,0 +1,25 @@ +name: Active Directory Enable Account Dispatch +id: 86320a91-1bde-41ab-8990-602a3768fd99 +version: 1 +date: '2023-05-23' +author: Lou Stella, Splunk +type: Response +description: Automatically dispatches input playbooks with the 'enable_account' tag. This will produce a merge report and indicator tag for each inputs. +playbook: Active_Directory_Enable_Account_Dispatch +how_to_implement: This automatic playbook requires the "enable_account" tag be present on each input playbook you want to launch. +references: [] +app_list: + - microsoft_ad_ldap + - azure_ad_graph + - aws_iam +tags: + platform_tags: + - user + - D3-RUAA + - enable_account + - active_directory + playbook_type: Automatic + vpe_type: Modern + playbook_fields: [] + product: + - Splunk SOAR