Skip to main content

Entra ID disable suspicious account

entraID disable suspicious account

Overview

This workflow automates the response to suspicious account creation activities detected by EXABEAM by immediately disabling the flagged user account through Microsoft Entra ID integration. It provides real-time security response with automated notifications to keep security teams informed of protective actions taken.

How It Works

  1. EXABEAM Alert Processing: Receives JSON alerts from EXABEAM containing abnormal account creation activity and suspicious user behavior intelligence.
  2. User Information Extraction: Executes script to parse the EXABEAM alert data and extract relevant user identifiers, account details, and security context information.
  3. Microsoft Entra ID Integration: Attempts to disable the suspicious user account through Microsoft Entra ID API, effectively preventing further unauthorized access and potential damage.
  4. Action Result Evaluation: Performs conditional check to determine if the account disabling operation was successful or encountered errors during execution.
  5. Response Notification Handling:
    • Error Path: If account disabling fails, sends immediate error notification to Slack alerting security teams of the failed protective action
    • Success Path: If account successfully disabled, configures completion details and sends confirmation notification to Slack with action summary and next steps

Who is this for?

  • Security Operations Center (SOC) analysts responding to user behavior anomalies
  • Identity and Access Management (IAM) teams managing account security incidents
  • Incident response teams requiring automated threat containment capabilities
  • Organizations using EXABEAM for user behavior analytics and Microsoft Entra ID for identity management

What problem does this workflow solve?

  • Eliminates manual response delays to suspicious account activities by automating immediate account disabling actions
  • Reduces the window of opportunity for potential account compromise or unauthorized access attempts
  • Provides consistent incident response procedures for user behavior anomalies detected by EXABEAM analytics
  • Ensures security teams maintain visibility into automated protective actions through real-time Slack notifications and error handling