Use Case #3: Disable User Account

Use Case #3: Disable User Account


Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread laterally into other high privilege accounts on the environment.

Typical Actions

  1. Disable User Account 
  2. Revoke all active user sessions 

Other Actions Available

  1. Force password update 
  2. Reset user password (temporarily) 
  3. Move user to specified group policy (quarantined/air gapped) 

Default Playbooks

  1. XDR: Successful Login Outside the US Detections 
  2. XDR: Conditional Access Blocked Login 
  3. XDR: User Impossible Travel Anomaly 

Base Workflow


Note: In environments configured with a hybrid of Entra and on-premises Active Directory, the SOC advises using the "Add user to group" step instead of the "Disable user account" step. This approach is advantageous for several reasons: Disabling a user account revokes all user licenses and can take approximately 30-40 minutes to restore access after rebuilding the account following an SOC-reported incident. Additionally, when Entra synchronizes with on-premises AD, discrepancies in user flags can sometimes automatically re-enable a disabled user, complicating the remediation process after an incident.

What is Needed

  1. Client ID 
    1. From Azure App registration page 
  2. Client Secret 
  3. Directory ID (Tenant ID) 
For on-prem AD, credentials may vary, so confirm with the documentation to validate specific information required. 

Available Vendors

  1. Azure AD 
  2. Active Directory 
  3. ... more on Updated Integration List for Chronicle SOAR 

Note: If you do not see an integration, it still may be possible to configure, CyFlare has an internal SOAR team that can develop integrations within SOAR. This may be of extra cost to a client, depending on the request. Reach out to your CSM or socir@cyflare.com for more details. 


How to Get Started 

Two Options: 

  1. You can work with your dedicated Customer Success Manager, and they will coordinate with the SOAR Team in getting this Automation built out for you. 
  2. Send an email to socir@cyflare.com and specify what integration you would like to leverage for automation to be built out. 
    1. The SOAR Team will process your request and get back to you with the criteria we need and meet with any customer to further explain and validate any questions they may have. 



    • Related Articles

    • Use Case #4: Email Integration 

      Exchange/Email servers are a vital part of implementing automated response actions as one of the most common entry points for malicious/unknown entities into customers’ environments. The SOC is enabled with these response actions to prevent and ...
    • Use Case #6: Isolate Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...
    • Use Case #5: Scan/Remediate/Rollback Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...
    • Use Case #2: Network Isolation 

      The SOC can take network-based response actions by utilizing API response actions on network appliances. These include firewall, routers, management devices, etc. Typical Actions Isolate/Quarantine endpoint(s) from network Terminate network sessions ...
    • Use Case #1: Firewall Policy Update

      Firewall response actions are the best way to deal with noisy public IPs attempting to ping/connect to external public-facing servers in the customer’s environment. This can also help respond to potential malicious IPs very quickly through automated ...