workflow for disabling user in active directory when detection rule from detection rule library was triggered
Create a new workflow
Select Trigger: “InsightIDR Detection Rule”
Select “Ingress Auth”
Click “Add Detection Rule”
Select the rule you want (eg the Non-approved countries)
Build the rest of your workflow (disable user etc)