P0nt05 · dadokkio · Feb 17, 2021 · Feb 17, 2021
diff --git a/DuoLockUserAccount/duoLockUserAccount.py b/DuoLockUserAccount/duoLockUserAccount.py
diff --git a/DuoLockUserAccount/DuoLockUserAccount.json → DuoSecurity/DuoLockUserAccount.json b/DuoLockUserAccount/DuoLockUserAccount.json → DuoSecurity/DuoLockUserAccount.json
@@ -1,22 +1,25 @@
 {
-  "name": "DuoLockUserAccount",
+  "name": "DuoUnlockUserAccount",
   "version": "1.0",
   "author": "Sven Kutzer / Gyorgy Acs",
   "url": "https://github.com/P0nt05/CortexResponder_DuoUserAccount",
   "license": "AGPL-V3",
-  "description": "Lock User Account in Duo Security via AdminAPI (The user will not be able to log in)",
+  "description": "Lock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)",
   "dataTypeList": ["thehive:case_artifact"],
-  "command": "DuoLockUserAccount/duoLockUserAccount.py",
-  "baseConfig": "Duo_AdminAPI-Account",
+  "command": "DuoSecurity/duoUserAccount.py",
+  "baseConfig": "DuoSecurity",
+  "config": {
+    "service": "lock"
+  },
   "configurationItems": [
     {
       "name": "API_hostname",
-      "description": "Duo Admin API hostname, https://api-XXXXXXXX.duosecurity.com",
+      "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
       "type": "string",
       "multi": false,
       "required": true
     },
-   {
+    {
       "name": "Integration_Key",
       "description": "Integration Key",
       "type": "string",

diff --git a/...lockUserAccount/DuoUnlockUserAccount.json → DuoSecurity/DuoUnlockUserAccount.json b/...lockUserAccount/DuoUnlockUserAccount.json → DuoSecurity/DuoUnlockUserAccount.json
@@ -6,17 +6,20 @@
   "license": "AGPL-V3",
   "description": "Unlock User Account in Duo Security via AdminAPI (The user must complete secondary authentication)",
   "dataTypeList": ["thehive:case_artifact"],
-  "command": "DuoUnlockUserAccount/duoUnlockUserAccount.py",
-  "baseConfig": "Duo_AdminAPI-Account",
+  "command": "DuoSecurity/duoUserAccount.py",
+  "baseConfig": "DuoSecurity",
+  "config": {
+    "service": "unlock"
+  },
   "configurationItems": [
     {
       "name": "API_hostname",
-      "description": "Duo Admin API hostname, https://api-XXXXXXXX.duosecurity.com",
+      "description": "Duo Admin API hostname, api-XXXXXXXX.duosecurity.com",
       "type": "string",
       "multi": false,
       "required": true
     },
-   {
+    {
       "name": "Integration_Key",
       "description": "Integration Key",
       "type": "string",

diff --git a/DuoSecurity/duoUserAccount.py b/DuoSecurity/duoUserAccount.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+import duo_client
+from datetime import datetime
+
+
+class DuoUserAccount(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.API_hostname = self.get_param(
+            "config.API_hostname", None, "API hostname is missing"
+        )
+        self.iKey = self.get_param(
+            "config.Integration_Key", None, "Integration Key is missing"
+        )
+        self.sKey = self.get_param("config.Secret_Key", None, "Secret Key is  missing")
+        self.service = self.get_param("config.service", "search", None)
+
+    def run(self):
+        Responder.run(self)
+
+        if self.get_param("data.dataType") == "username":
+
+            if self.service in ["lock", "unlock"]:
+                str_username = self.get_param(
+                    "data.data", None, "No artifacts available"
+                )
+                admin_api = duo_client.Admin(self.iKey, self.sKey, self.API_hostname)
+                response = admin_api.get_users_by_name(username=str_username)
+                user_id = response[0]["user_id"]
+
+            if self.service == "lock":
+                r = admin_api.update_user(user_id=user_id, status="disabled")
+                if r.get("status") == "disabled":
+                    self.report({"message": "User is locked in Duo Security."})
+                else:
+                    self.error("Failed to lock User Account in Duo.")
+            elif self.service == "unlock":
+                r = admin_api.update_user(user_id=user_id, status="active")
+                if r.get("status") == "active":
+                    self.report(
+                        {
+                            "message": "User is unlocked in Duo Security. The user must complete secondary authentication."
+                        }
+                    )
+                else:
+                    self.error("Failed to unlock User Account in Duo.")
+        else:
+            self.error('Incorrect dataType. "username" expected.')
+
+    def operations(self, raw):
+        if self.service == "lock":
+            return [self.build_operation("AddTagToArtifact", tag="Duo User: locked")]
+        elif self.service == "unlock":
+            return [
+                self.build_operation("AddTagToArtifact", tag="Duo User: reactivated")
+            ]
+
+
+if __name__ == "__main__":
+    DuoUserAccount().run()
diff --git a/DuoLockUserAccount/requirements.txt → DuoSecurity/requirements.txt b/DuoLockUserAccount/requirements.txt → DuoSecurity/requirements.txt
diff --git a/DuoUnlockUserAccount/duoUnlockUserAccount.py b/DuoUnlockUserAccount/duoUnlockUserAccount.py
diff --git a/DuoUnlockUserAccount/requirements.txt b/DuoUnlockUserAccount/requirements.txt