Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. You can directly query AD to retrieve information about users, groups, and computers, in an organization, by using the Lightweight Directory Access Protocol (LDAP) to directly query the AD.
This document provides information about the Active Directory connector, which facilitates automated interactions with an Active Directory server using FortiSOAR™ playbooks. Add the Active Directory connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving all the information for users, groups, and computers in the AD and retrieving a list of search attributes that you can use to search AD.
The Active Directory playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the User indicator type. For more information, see the Pluggable Enrichment section.
Connector Version: 2.4.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Active Directory Server Version Tested on: Microsoft Windows Server 2019 R2 Standard
Authored By: Fortinet
Contributors: Parag Khatavkar, Danny
Certified: Yes
Following enhancements have been made to the Active Directory Connector in version 2.4.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-activedirectory
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Active Directory connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Active Directory (AD) server. |
Port | Port number used for connecting to the AD server. |
Username | Valid AD service account with a minimum of "Read" access. |
Password | Password for your AD user. |
Base DN | The base, or node from where the LDAP search should start. All connector operations are carried out using the Base DN as a root to the AD organization tree. You can restrict the AD lookup by providing appropriate filters in this parameter. Some examples of the same are as follows: DC=cspune,DC=com OU=workstation,DC=cspune,DC=com OU=Develop,OU=workstation,DC=cspune,DC=com |
Bind DN | The fully distinguished name that is used to bind to the LDAP server. |
Use TLS | Specifies whether SSL and TLS will be required to establish the connection between the Active Directory connector and the AD server. By default, this option is set as false , and therefore, SSL is used by default. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Global Search | Searches and retrieves records from AD using global search, based on the specified search object, such as user, computer, group, search attribute, or a search attribute value, such as SamAccount Name, Distinguished Name, Common Name, Display Name, or Email. When you search a record based on a search attribute value, the record from AD is retrieved based on the specified attribute value. | global_search Investigation |
Get All Objects Details | Searches and retrieves all records from AD based on a specified search object, such as a user, computer, or group. | get_all_objects_details Investigation |
Get Specific Object Details | Searches and retrieves records from AD based on a specified search object, such as a user, computer, or group. However, this search is limited to the records found for the object name you have specified. For example, if you want to retrieve the records from AD for a specific user, you need to specify the name of the user. |
get_specific_object_details Investigation |
Enable User Account | Enables the account of a specific AD user based on the SamAccount Name or the Email of the user. | enable_user_account Remediation |
Disable User Account | Disables the account of a specific AD user based on the SamAccount Name or the Email of the user. | disable_user Containment |
Reset Password | Resets the password for a specific AD user based on the SamAccount Name or the Email, or the Distinguished Name (DN) of the user. | reset_password Containment |
Advanced Search | Executes an advanced LDAP query that searches and retrieves AD records based on your custom query. | advanced_search Investigation |
Add Object | Add an object entry of User, Group, Computer, or Organization Unit (OU) type in Active Directory based on the type of object and other input parameters you have specified. | add_object Investigation |
Update Object | Updates an existing object entry of User, Group, Computer, or Organization Unit (OU) type in Active Directory based on the type of object and other input parameters you have specified. | update_object Investigation |
Delete Object | Deletes an existing object entry of User, Group, Computer, or Organization Unit (OU) type from Active Directory based on the type of object and other input parameters you have specified. | delete_object Containment |
Add Group Members | Adds an Active Directory User or Computer as a member to an existing Group in Active Directory based on the Group DN and User or computer DN you have specified. | add_group_members Investigation |
Remove Group Members | Removes an Active Directory User or Computer as a member from an existing Group in Active Directory based on the Group DN and User or computer DN you have specified. | remove_group_members Remediation |
Enable Computer | Enables the specific computer account based on the Distinguished Name or SamAccount Name of the computer you have specified. | enable_computer Remediation |
Disable Computer | Disables the computer account based on the Distinguished Name or SamAccount Name of the computer you have specified. | disable_computer Containment |
Force password reset on next logon | Forces specific Active Directory users to reset their password when they next log on to Active Directory. You can specify the user who requires to reset their password based on the SamAccount Name, Email, or Distinguished Name (DN) of the user. | force_password_reset_next_logon Containment |
Move Computer to Targeted Organization Unit(OU) | Move a computer entry from one Organization Unit(OU) to another. | move_computer_ou Investigation |
Move User to Targeted Organization Unit(OU) | Moves the account of a specific AD user based on the SamAccount Name or the Email of the user to a new Organization Unit | move_user_ou Investigation |
NOTE: If the Active Directory connector does not find a record in AD, then the playbook displays the Record Not found in Active Directory
message. This message is displayed if the search entity is not present in the AD Base DN configured in the Active Directory connector. You can use this message to formulate the condition in the playbook for the next playbook step.
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person, using which you want to search and retrieve records from AD. |
Attribute Type | The attribute type, such as SamAccount Name, DistinguishedName, Common Name, Display Name, or Email using which you want to search and retrieve records from AD. |
Attribute Values | The attribute value using which you want to search and retrieve records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person using which you want to search and retrieve all records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
Output schema when you choose Object Type as Organization Unit:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person using which you want to search and retrieve records from AD. If you select the Object Type as Person then instead of the SamAccountName, you must specify the Common Name (CN) and Surname (SN) of the person whose records you want to retrieve from AD. |
SamAccount Name | The SamAccountName of the object based on which you want to search and retrieve records from AD. |
CN | Common name of the person you want to search and retrieve records from AD. |
SN | Surname of the person you want to search and retrieve records from AD. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name or the Email of the user using which you want to enable a user account in AD. |
Attribute Value | The value of the SamAccount Name or the Email of the user, based on which you want to enable a user account in AD. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name or the Email of the user, based on which you want to disable a user account in AD. |
Attribute Value | The value of the SamAccount Name or the Email of the user, based on which you want to disable a user account in AD. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Note: To change passwords you must use LDAPS.
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name, Distinguished Name, or the Email of the user, whose password you want to reset in AD. |
Attribute Value | The value of the SamAccount Name, the Distinguished Name, or the Email of the user, whose password you want to reset in AD. |
New Password | The password that you want to set for the specific user. The new password must meet the password policy requirements. For password policy requirements and the minimum password length, password complexity, and password history requirements, see https://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
LDAP Query | The custom LDAP query using which you want to retrieve records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to add in Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). If you choose User, then you must specify the following parameters:
|
Custom Attributes | (Optional) Additional fields, in the JSON format, to add in the object that you want to create Active Directory. |
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to update in Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). If you choose User, then you must specify the following parameters:
|
Custom Attributes | (Optional) Additional fields, in the JSON format, to add or change in the object that you want to update Active Directory. |
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to delete from Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). Based on the type of object that you choose you must specify the following parameters:
|
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Group DN | List of Distinguished Names of the group in Active Directory to which you want to add members. Note: You must enter DN values in the list format. |
Object Type | Type of object, User, or Computer, that you want to add as members to the specified group in Active Directory. If you choose Computer, then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{ "result": "", "description": "", "dn": [], "message": "", "referrals": "", "type": "", "group_dn": [] }
Parameter | Description |
---|---|
Group DN | List of Distinguished Names of the group in Active Directory from which you want to remove members. Note: You must enter DN values in the list format. |
Object Type | Type of object, User, or Computer, that you want to remove as members from the specified group in Active Directory. If you choose Computer, then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{ "result": "", "description": "", "dn": [], "message": "", "referrals": "", "type": "", "group_dn": [] }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN) or the SamAccount Name of the computer using which you want to enable the computer account in Active Directory. |
Value | The value of the Distinguished Name (DN) or the SamAccount Name of the computer account that you want to enable in Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN) or the SamAccount Name of the computer using which you want to disable the computer account in Active Directory. |
Value | The value of the Distinguished Name (DN) or the SamAccount Name of the computer account that you want to disable in Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN), email address, or SamAccount Name of the user who requires to reset their password when they next log on to Active Directory. |
Attributes Value | The value of the Distinguished Name (DN), email address, or SamAccount Name of the user who requires to reset their password when they next log on to Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | Select the value of the SamAccount name or the Email of the user, based on which you want to move a user account in AD. |
Value | Specify the value of either the SamAccount name or the email of the user based on your preference to move a user account in a new Organizational Unit. |
Destination OU | Specify the value of the targeted new Organizational Unit to which you want to move the user. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Distinguished Name (DN) | Specify the distinguished name (DN) of the computer object you want to modify. |
Common Name | Specify the Common name (CN) of the computer object. |
Target Organization Unit (OU) | Specify the distinguished name (DN) of the target organizational unit (OU). |
The output contains the following populated JSON schema:
{ "message": "", "result": "" }
The Sample - Active Directory - 2.4.0
playbook collection comes bundled with the Active Directory connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Active Directory connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Active Directory playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the 'user' indicator type. The pluggable enrichment playbooks are in the format: '<indicator type>
> Active Directory > Enrichment'. For example, 'User > Active Directory > Enrichment'.
Based on the Active Directory integration API response following variables are returned:
Variable Name | Description | Return Value |
---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | ActiveDirectory |
source_data |
The source_data response returned by the integration API. | A JSON response object containing the source data of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |
Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. You can directly query AD to retrieve information about users, groups, and computers, in an organization, by using the Lightweight Directory Access Protocol (LDAP) to directly query the AD.
This document provides information about the Active Directory connector, which facilitates automated interactions with an Active Directory server using FortiSOAR™ playbooks. Add the Active Directory connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving all the information for users, groups, and computers in the AD and retrieving a list of search attributes that you can use to search AD.
The Active Directory playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the User indicator type. For more information, see the Pluggable Enrichment section.
Connector Version: 2.4.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Active Directory Server Version Tested on: Microsoft Windows Server 2019 R2 Standard
Authored By: Fortinet
Contributors: Parag Khatavkar, Danny
Certified: Yes
Following enhancements have been made to the Active Directory Connector in version 2.4.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-activedirectory
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Active Directory connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Active Directory (AD) server. |
Port | Port number used for connecting to the AD server. |
Username | Valid AD service account with a minimum of "Read" access. |
Password | Password for your AD user. |
Base DN | The base, or node from where the LDAP search should start. All connector operations are carried out using the Base DN as a root to the AD organization tree. You can restrict the AD lookup by providing appropriate filters in this parameter. Some examples of the same are as follows: DC=cspune,DC=com OU=workstation,DC=cspune,DC=com OU=Develop,OU=workstation,DC=cspune,DC=com |
Bind DN | The fully distinguished name that is used to bind to the LDAP server. |
Use TLS | Specifies whether SSL and TLS will be required to establish the connection between the Active Directory connector and the AD server. By default, this option is set as false , and therefore, SSL is used by default. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Global Search | Searches and retrieves records from AD using global search, based on the specified search object, such as user, computer, group, search attribute, or a search attribute value, such as SamAccount Name, Distinguished Name, Common Name, Display Name, or Email. When you search a record based on a search attribute value, the record from AD is retrieved based on the specified attribute value. | global_search Investigation |
Get All Objects Details | Searches and retrieves all records from AD based on a specified search object, such as a user, computer, or group. | get_all_objects_details Investigation |
Get Specific Object Details | Searches and retrieves records from AD based on a specified search object, such as a user, computer, or group. However, this search is limited to the records found for the object name you have specified. For example, if you want to retrieve the records from AD for a specific user, you need to specify the name of the user. |
get_specific_object_details Investigation |
Enable User Account | Enables the account of a specific AD user based on the SamAccount Name or the Email of the user. | enable_user_account Remediation |
Disable User Account | Disables the account of a specific AD user based on the SamAccount Name or the Email of the user. | disable_user Containment |
Reset Password | Resets the password for a specific AD user based on the SamAccount Name or the Email, or the Distinguished Name (DN) of the user. | reset_password Containment |
Advanced Search | Executes an advanced LDAP query that searches and retrieves AD records based on your custom query. | advanced_search Investigation |
Add Object | Add an object entry of User, Group, Computer, or Organization Unit (OU) type in Active Directory based on the type of object and other input parameters you have specified. | add_object Investigation |
Update Object | Updates an existing object entry of User, Group, Computer, or Organization Unit (OU) type in Active Directory based on the type of object and other input parameters you have specified. | update_object Investigation |
Delete Object | Deletes an existing object entry of User, Group, Computer, or Organization Unit (OU) type from Active Directory based on the type of object and other input parameters you have specified. | delete_object Containment |
Add Group Members | Adds an Active Directory User or Computer as a member to an existing Group in Active Directory based on the Group DN and User or computer DN you have specified. | add_group_members Investigation |
Remove Group Members | Removes an Active Directory User or Computer as a member from an existing Group in Active Directory based on the Group DN and User or computer DN you have specified. | remove_group_members Remediation |
Enable Computer | Enables the specific computer account based on the Distinguished Name or SamAccount Name of the computer you have specified. | enable_computer Remediation |
Disable Computer | Disables the computer account based on the Distinguished Name or SamAccount Name of the computer you have specified. | disable_computer Containment |
Force password reset on next logon | Forces specific Active Directory users to reset their password when they next log on to Active Directory. You can specify the user who requires to reset their password based on the SamAccount Name, Email, or Distinguished Name (DN) of the user. | force_password_reset_next_logon Containment |
Move Computer to Targeted Organization Unit(OU) | Move a computer entry from one Organization Unit(OU) to another. | move_computer_ou Investigation |
Move User to Targeted Organization Unit(OU) | Moves the account of a specific AD user based on the SamAccount Name or the Email of the user to a new Organization Unit | move_user_ou Investigation |
NOTE: If the Active Directory connector does not find a record in AD, then the playbook displays the Record Not found in Active Directory
message. This message is displayed if the search entity is not present in the AD Base DN configured in the Active Directory connector. You can use this message to formulate the condition in the playbook for the next playbook step.
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person, using which you want to search and retrieve records from AD. |
Attribute Type | The attribute type, such as SamAccount Name, DistinguishedName, Common Name, Display Name, or Email using which you want to search and retrieve records from AD. |
Attribute Values | The attribute value using which you want to search and retrieve records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person using which you want to search and retrieve all records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
Output schema when you choose Object Type as Organization Unit:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | The object type, such as User, Computer, Group, or Person using which you want to search and retrieve records from AD. If you select the Object Type as Person then instead of the SamAccountName, you must specify the Common Name (CN) and Surname (SN) of the person whose records you want to retrieve from AD. |
SamAccount Name | The SamAccountName of the object based on which you want to search and retrieve records from AD. |
CN | Common name of the person you want to search and retrieve records from AD. |
SN | Surname of the person you want to search and retrieve records from AD. |
The output contains the following populated JSON schema:
Output schema when you choose Object Type as Group:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "groupType": "", "objectSid": "", "objectGUID": "", "uSNChanged": "", "uSNCreated": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "objectCategory": "", "sAMAccountName": "", "sAMAccountType": "", "distinguishedName": "", "dSCorePropagationData": [] } } ] }
This is the default output schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name or the Email of the user using which you want to enable a user account in AD. |
Attribute Value | The value of the SamAccount Name or the Email of the user, based on which you want to enable a user account in AD. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name or the Email of the user, based on which you want to disable a user account in AD. |
Attribute Value | The value of the SamAccount Name or the Email of the user, based on which you want to disable a user account in AD. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Note: To change passwords you must use LDAPS.
Parameter | Description |
---|---|
Attribute Type | The attribute, either the SamAccount Name, Distinguished Name, or the Email of the user, whose password you want to reset in AD. |
Attribute Value | The value of the SamAccount Name, the Distinguished Name, or the Email of the user, whose password you want to reset in AD. |
New Password | The password that you want to set for the specific user. The new password must meet the password policy requirements. For password policy requirements and the minimum password length, password complexity, and password history requirements, see https://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
LDAP Query | The custom LDAP query using which you want to retrieve records from AD. |
Page Size | Number of record requests that should be included per page. By default, this is set as 0 i.e., no paging. By default, Impact will ask only for one page from the LDAP server. If the LDAP server has a page size set to 1000, then only 1000 records will be returned. |
Size Limit | Number of records that should be returned in a single search. When you have enabled paging, i.e., set the Page Size parameter to some value, then this parameter has no effect. However, you must set the value of the Size Limit parameter to less than the value that you have set for Page Size. For example, if you set the page size to 100 and the size limit to 90, the server will return 90 records. By default, this is set as 0, i.e., none or no limit. |
Paged Cookie | (Optional) Value of an Opaque string, which if received in a paged search must be sent back while requesting subsequent entries of the search result. |
The output contains the following populated JSON schema:
{ "cookie": "", "entries": [ { "dn": "", "attributes": { "cn": "", "name": "", "codePage": "", "memberOf": [], "lastLogon": "", "objectSid": "", "adminCount": "", "lastLogoff": "", "logonCount": "", "objectGUID": "", "pwdLastSet": "", "uSNChanged": "", "uSNCreated": "", "badPwdCount": "", "countryCode": "", "description": [], "lockoutTime": "", "objectClass": [], "whenChanged": "", "whenCreated": "", "instanceType": "", "accountExpires": "", "objectCategory": "", "primaryGroupID": "", "sAMAccountName": "", "sAMAccountType": "", "badPasswordTime": "", "distinguishedName": "", "lastLogonTimestamp": "", "userAccountControl": "", "dSCorePropagationData": [], "isCriticalSystemObject": "" } } ] }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to add in Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). If you choose User, then you must specify the following parameters:
|
Custom Attributes | (Optional) Additional fields, in the JSON format, to add in the object that you want to create Active Directory. |
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to update in Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). If you choose User, then you must specify the following parameters:
|
Custom Attributes | (Optional) Additional fields, in the JSON format, to add or change in the object that you want to update Active Directory. |
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Object Type | Type of object whose entry you want to delete from Active Directory. You can choose from the following options: User, Group, Computer, or Organization Unit (OU). Based on the type of object that you choose you must specify the following parameters:
|
The output contains the following populated JSON schema:
{ "description": "", "dn": "", "type": "", "result": "", "message": "", "referrals": "" }
Parameter | Description |
---|---|
Group DN | List of Distinguished Names of the group in Active Directory to which you want to add members. Note: You must enter DN values in the list format. |
Object Type | Type of object, User, or Computer, that you want to add as members to the specified group in Active Directory. If you choose Computer, then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{ "result": "", "description": "", "dn": [], "message": "", "referrals": "", "type": "", "group_dn": [] }
Parameter | Description |
---|---|
Group DN | List of Distinguished Names of the group in Active Directory from which you want to remove members. Note: You must enter DN values in the list format. |
Object Type | Type of object, User, or Computer, that you want to remove as members from the specified group in Active Directory. If you choose Computer, then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{ "result": "", "description": "", "dn": [], "message": "", "referrals": "", "type": "", "group_dn": [] }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN) or the SamAccount Name of the computer using which you want to enable the computer account in Active Directory. |
Value | The value of the Distinguished Name (DN) or the SamAccount Name of the computer account that you want to enable in Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN) or the SamAccount Name of the computer using which you want to disable the computer account in Active Directory. |
Value | The value of the Distinguished Name (DN) or the SamAccount Name of the computer account that you want to disable in Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | The attribute, either the Distinguished Name (DN), email address, or SamAccount Name of the user who requires to reset their password when they next log on to Active Directory. |
Attributes Value | The value of the Distinguished Name (DN), email address, or SamAccount Name of the user who requires to reset their password when they next log on to Active Directory. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Attributes Type | Select the value of the SamAccount name or the Email of the user, based on which you want to move a user account in AD. |
Value | Specify the value of either the SamAccount name or the email of the user based on your preference to move a user account in a new Organizational Unit. |
Destination OU | Specify the value of the targeted new Organizational Unit to which you want to move the user. |
The output contains the following populated JSON schema:
{ "message": "", "description": "", "result": "", "referrals": "", "type": "", "dn": "" }
Parameter | Description |
---|---|
Distinguished Name (DN) | Specify the distinguished name (DN) of the computer object you want to modify. |
Common Name | Specify the Common name (CN) of the computer object. |
Target Organization Unit (OU) | Specify the distinguished name (DN) of the target organizational unit (OU). |
The output contains the following populated JSON schema:
{ "message": "", "result": "" }
The Sample - Active Directory - 2.4.0
playbook collection comes bundled with the Active Directory connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Active Directory connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
The Active Directory playbook collection contains pluggable enrichment playbooks that are used to provide verdicts for the 'user' indicator type. The pluggable enrichment playbooks are in the format: '<indicator type>
> Active Directory > Enrichment'. For example, 'User > Active Directory > Enrichment'.
Based on the Active Directory integration API response following variables are returned:
Variable Name | Description | Return Value |
---|---|---|
cti_name |
The name of the connector is called the CTI (Cyber Threat Intelligence) name | ActiveDirectory |
source_data |
The source_data response returned by the integration API. | A JSON response object containing the source data of the threat intelligence integration. |
enrichment_summary |
The contents that are added, in the HTML format, in the 'Description' field of the specified FortiSOAR indicator record. |
The following values are returned in the HTML format:
The following image displays a sample of the populated 'Description' field in a FortiSOAR indicator record: |