Duo_Security
DuoLockUserAccount
Details
Author |
Sven Kutzer / Gyorgy Acs, @oscd_initiative |
Version |
1.0 |
License |
AGPL-V3 |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
energysoar:case_artifact |
Description
Lock User Account in Duo Security via AdminAPI (The user will not be able to log in)
Configuration
Name |
Description |
API_hostname |
Duo Admin API hostname, api-XXXXXXXX.duosecurity.com |
Integration_Key |
Integration Key |
Secret_Key |
Secret Key |
DuoUnlockUserAccount
Details
Author |
Sven Kutzer / Gyorgy Acs, @oscd_initiative |
Version |
1.0 |
License |
AGPL-V3 |
Requires Registration |
No |
Requires Subscription |
No |
Free Subscription Available |
No |
DataType Supported |
energysoar:case_artifact |
Description
Unlock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)
Configuration
Name |
Description |
API_hostname |
Duo Admin API hostname, api-XXXXXXXX.duosecurity.com |
Integration_Key |
Integration Key |
Secret_Key |
Secret Key |
Additional details from the README file:
Responder_DuoUserAccount
Lock/Unlock User Accounts in the Duo Admin Portal (Cisco Security)
There are two Responder available in order to change the status of a User in Duo Security via the AdminAPI (https://duo.com/docs/adminapi)
DuoLockUserAccount -> changes the “status” to “disabled” - The user will not be able to log in.
DuoUnlockUserAccount -> changes the “status” to “active” - The user must complete secondary authentication.
The Responder is looking for a “username“ as input and queries the Duo Admin API, to receive the associated UserID. The UserID is used to change the “status” of the particular user.
How to install:
copy the folders “DuoLockUserAccount” & “DuoUnlockUserAccount” into your Energy SOAR Automations path
install necessary python modules from the requirements.txt (pip install -r requirements.txt)
restart Energy SOAR Automation to initialize the new Responder
add the ResponderConfig
enable the Responder Actions
Add Observable type in Energy SOAR Base**
per default Energy SOAR Base has no “username” Observable type, so we have to add this in the Admin settings
Run the Responder action in Energy SOAR Base
If you have add an observable, you can now take action and lock/unlock the User in Duo Security