Darkmon - Compromised Employee Auto-Disable
Hourly poll of compromised employees. For each new entry, looks up the user in the configured directory and acts per the DisableMode playbook input: - notify-only : creates incident and notifies; no AD action. [DEFAULT] - approval-required : creates incident, blocks on a manual approval task, then disables on approve. - auto-disable : disables the account immediately, then notifies. Accounts in the 'Darkmon - Auto-Disable Allowlist' list are NEVER auto-disabled.
Darkmon · 11 tasks · 1 input · 1 output
Inputs
DisableMode— Controls how the playbook reacts when a new compromised employee account is observed. Allowed values: - notify-only : creates an incident and notifies; no directory action. (DEFAULT, safe) - approval-required : creates an incident with a manual approval task; on approve, runs the disable. - auto-disable : disables the account immediately, then notifies. Accounts in the 'Darkmon - Auto-Disable Allowlist' list are NEVER auto-disabled regardless of this input.
Outputs
NewAccounts— Compromised employee accounts that triggered action this run.
Commands used
dmontip-get-compromised