Reset password upon suspicious alert

I would like to reset a user’s account password based on a suspicious alert. I’ve installed Azure AD Plugin and I can reset a password and revoke session using “test workflow” by entering a username in the User ID field. But I want to get the username automatically from the alert. How can I do this?

Whatever your step name is that brings in that alert payload is where you would start.

For my example I have a workflow that is using Crowdstrike to pull in new incidents whenever they occur. I named the first step “Get New Incidents Trigger”, so my variable names will be named according to that naming convention, yours will differ slightly, based upon the system you use, and the name that you choose for that step.

Looking at the step for Revoke Sign In Sessions for the AzureADAdmin plugin we can see in my screenshot that it requires a string as input.


Next we open the variable picker which is the blue + symbol as seen below.

Get User Details2

Find the variable that is the user details that you are looking for and ensure the data type is string. If it shows array of strings as seen below in my screenshot that won’t work as Azure wants only a single string as input.

To work with an array you would need to use a loop step. Choose the user variable as the array to loop through, then you build your Revoke User step inside of the loop, and for ever user found in that array it would then go and perform the revoke action, as well as any other steps contained within the loop for each user.

Get ThreatUserDetails6

Keep in mind that Azure is also looking for an email, so your user data that is coming from the system either needs to record that in the payload that is sent, or you would need to use the user data that is given, and then further enrich with another system such as LDAP to get the principal name.

Hi! Appreciate your comments! As tends to happen, after opening the topic I found a way to make it work via AzureAD Plugin. First I tried it using a test account, then i was able to get the username affected by a suspicious IDR alert, and reset the password. The variable used is {{[“Suspicious Authentication”].[alert].[account]}}

Now I would like to build a error control, I mean, check the result of the execution:

{{[“Reset Password”].[$success]}} - True if the step succeeded, false otherwise

So I think I need to build a “choice” and there building the query for checking if the result is failed? Is that correct?

Yes you could have a decision step to let you know if Success=true.

Within the decision step itself there is a link to the help documentation to show what options are available, but it is also found here: Format Query Language | InsightConnect Documentation

A question that sometimes comes up around decision steps is the “default path” option that is a requirement to choose. It doesn’t matter which path you choose, but on the next page you need to configure the logic for the opposite of the default path.


So if your decision had two paths, success & failure, and you make failure your default path, then you would say {{[“Reset Password”].[$success]}}=true.

If you make success the default path you would say {{[“Reset Password”].[$success]}}=false. Both options work.