CortexResponder_DuoUserAccount

Rep. for Cortex Responder (TheHive project - https://github.com/TheHive-Project/CortexDocs)
to Lock/Unlock User Accounts in the Duo Admin Portal (Cisco Security)

There are two Responder available in order to change the status of a User in Duo Security via the AdminAPI (https://duo.com/docs/adminapi)

DuoLockUserAccount -> changes the "status" to “disabled” - The user will not be able to log in.

DuoUnlockUserAccount -> changes the "status" to “active” - The user must complete secondary authentication.

The Responder is looking for a "username" as input and queries the Duo Admin API, to receive the associated UserID.
The UserID is used to change the "status" of the particular user.

How to install:

  • copy the folders "DuoLockUserAccount" & "DuoUnlockUserAccount" into your Cortex responders path
  • install necessary python modules from the requirements.txt (pip install -r requirements.txt)
  • restart Cortex to initialize the new Responder "systemctl restart cortex"
  • add the ResponderConfig
  • ResponderConfig
  • enable the Responder Actions
  • Responders

Add Observable type in TheHive**

  • per default TheHive has no "username" Observable type, so we have to add this in the Admin settings
  • AddObservableType

Run the Responder action in TheHive

If you have add an observable, you can now take action and lock/unlock the User in Duo Security

  • Demo_Lock-Unlock_DuoUser
View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Products

    Duo
  • Programming Languages

    Python
  • License

    GNU General Public License v3.0

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.