forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAWS_IAM_Account_Locking.yml
More file actions
29 lines (29 loc) · 953 Bytes
/
AWS_IAM_Account_Locking.yml
File metadata and controls
29 lines (29 loc) · 953 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: AWS IAM Account Locking
id: f15e4ab7-b057-4225-86ae-c36ab78b50f2
version: 1
date: '2023-05-08'
author: Teoderick Contreras, Splunk
type: Investigation
description: "Accepts user name that needs to be disabled in AWS IAM Active Directory. Disabling an account involves deleting their login profile which will clear the user's password. Generates an observable output based on the status of account locking or disabling."
playbook: AWS_IAM_Account_Locking
how_to_implement: This input playbook requires the AWS IAM connector to be configured.
It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style.
references: []
app_list:
- AWS IAM
tags:
platform_tags:
- user
- aws_iam
- D3-AL
- disable_account
playbook_type: Input
vpe_type: Modern
playbook_fields: []
product:
- Splunk SOAR
use_cases:
- Phishing
- Endpoint
defend_technique_id:
- D3-AL