Block User
Workflow #0060
Response Workflow
This workflow takes a Duo Security user’s username as input and moves the user to a group that will deny access to services. If the user is moved succesfully, a ServiceNow ticket is created to notify the appropriate team to investigate further. Supported observables: username
, email
Note: This workflow uses the Duo Admin API which is not enabled by default. Contact Duo support to have it enabled.
Change Log
Date | Notes |
---|---|
Mar 9, 2022 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Duo - Admin - Add User to Group
- Duo - Admin - Get User
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Duo Security
- ServiceNow
Workflow Steps
- Make sure the observable is supported
- Fetch global variables
- Verify required input was provided
- Get the user from Duo (end workflow if not found)
- Extract the user’s groups
- Check if the user is already in the group:
- If they are, end the workflow
- If they aren’t:
- Move the user to the new group
- Check if the move was successful:
- If it was, create a ServiceNow incident
- If it wasn’t, end the workflow
Configuration
- Provide the workflow your Duo Security Admin API information by either:
- Storing the information in global variables and using the
Fetch Global Variables
group at the beginning of the workflow to update theDuo Hostname
,Duo Integration Key
, andDuo Secret Key
local variables; or - Remove the variables from the
Fetch Global Variables
group and add your information directly to the corresponding local variables
- Storing the information in global variables and using the
- Set
Duo Deny User Group
to the ID of the user group you want Duo users added to. You can get this ID from the URL of the group’s page in the Duo admin panel. For example:DGWP6584D8PORPPC9H01
- Set
Duo Username Suffix
. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example:@company.com
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Duo Security | HTTP Endpoint | Protocol: HTTPS Host: <api hostname>.duosecurity.com Path: None | None | Be sure to use the API Hostname from your Duo integration |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |