top of page
Search

Disable Azure AD User from Splunk Alert Action

In the modern SOC it is imperative to have the ability to respond to security incidents in an automated and rapid fashion. Dataflect has the ability to enable targeted Security Orchestration Automation and Response (SOAR) capabilities, with a low cost and low level of effort.

In this example we will show you how you can use Dataflect to automatically disable an Azure AD user account based on information discovered in your logs.


First, follow the post on how to Get Azure User information from Splunk. output the result of that search to a lookup called "identies.csv".


We will use this information to enrich our search results. Now let's look for some potentially problematic behavior, identified in the logs.

We've identified a user with 87 failed logins. At this point we could pass this information along to our Azure administrators, but what if we need to take action quickly? With Dataflect we can quickly and easy build a custom alert action that will allow us to disable this user when identified in the logs.


Use the same App Registration created in Get Azure User information from Splunk or a create new one following the same instructions. This time add the User.EnableDisableAccount.All "Application" permission. If you've created a new App Registration, make sure to add the credentials to Dataflect before proceeding.


Now, let's use Dataflect to build a custom alert action. Click the "Create" dropdown and select "Action Builder".


Complete with the following information:


URL: https://graph.microsoft.com/v1.0/users/{tenant} (replace {tenant} with your tenant ID)

Endpoint Path: $result.id$ Method: Patch

Headers: {'Content-Type': 'application/json'}

Data: {'accountEnabled': 'false'}

Credential: Select your created credential from the dropdown


Click submit. You are going to receive a 400 status code, this is expected.


At the top of the page, expand "Create Custom Alert Action". Give the Alert Action a unique name:


Now let's put this into action. Go back to your search, and reload the page. Let's add a check to ensure that we only disable accounts that aren't already enabled:


Click "Save As", select "Alert"



Give the alert a relevant Title, Description, Schedule, and Trigger Conditions.


Click "+ Add Actions" and select your newly created Alert Action


Let your search run!


Before:

The search runs:

After:


If you want to see the other ways that Dataflect can help your organization contact us at sales@dataflect.com for a demo today!

Comments


bottom of page