On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block User

Workflow #0060

Response Workflow

This workflow takes a Duo Security user’s username as input and moves the user to a group that will deny access to services. If the user is moved succesfully, a ServiceNow ticket is created to notify the appropriate team to investigate further. Supported observables: username, email

Note: This workflow uses the Duo Admin API which is not enabled by default. Contact Duo support to have it enabled.

GitHub


Change Log

Date Notes
Mar 9, 2022 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Duo - Admin - Add User to Group
    • Duo - Admin - Get User
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Duo Security
  • ServiceNow

Workflow Steps

  1. Make sure the observable is supported
  2. Fetch global variables
  3. Verify required input was provided
  4. Get the user from Duo (end workflow if not found)
  5. Extract the user’s groups
  6. Check if the user is already in the group:
    • If they are, end the workflow
    • If they aren’t:
      • Move the user to the new group
      • Check if the move was successful:
        • If it was, create a ServiceNow incident
        • If it wasn’t, end the workflow

Configuration

  • Provide the workflow your Duo Security Admin API information by either:
    • Storing the information in global variables and using the Fetch Global Variables group at the beginning of the workflow to update the Duo Hostname, Duo Integration Key, and Duo Secret Key local variables; or
    • Remove the variables from the Fetch Global Variables group and add your information directly to the corresponding local variables
  • Set Duo Deny User Group to the ID of the user group you want Duo users added to. You can get this ID from the URL of the group’s page in the Duo admin panel. For example: DGWP6584D8PORPPC9H01
  • Set Duo Username Suffix. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example: @company.com
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Duo Security HTTP Endpoint Protocol: HTTPS
Host: <api hostname>.duosecurity.com
Path: None
None Be sure to use the API Hostname from your Duo integration
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password