Skip to main content

Block Account - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook blocks malicious usernames using all integrations that you have enabled.

Supported integrations for this playbook:

  • Active Directory
  • PAN-OS - This requires PAN-OS 9.1 or higher.
  • SailPoint
  • PingOne
  • Clarizen IAM
  • Envoy IAM
  • ExceedLMS IAM
  • Okta
  • Microsoft Graph User (Azure Active Directory Users)
  • Google Workspace Admin
  • Slack IAM
  • ServiceNow IAM
  • Prisma Cloud IAM
  • Zoom IAM
  • Atlassian IAM
  • GitHub IAM.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • Active Directory Query v2


  • IsIntegrationAvailable
  • SetAndHandleEmpty


  • iam-disable-user
  • gsuite-user-update
  • identityiq-disable-account
  • pingone-deactivate-user
  • msgraph-user-account-disable
  • pan-os-register-user-tag
  • ad-get-user
  • msgraph-user-get
  • ad-disable-account
  • identityiq-get-accounts

Playbook Inputs#

NameDescriptionDefault ValueRequired
UsernameArray of malicious usernames to block.Optional
TagPAN-OS Tag name to apply to the username that you want to block.Bad AccountOptional
NamingConventionIn case you are using naming convention in your IDP, please specify a prefix for special/service accounts (use comma separated)Optional
UserVerificationPossible values:True/False. Default:True.
Specify if User Verification is Requrired

Playbook Outputs#

Blocklist.FinalBlocked accountsunknown

Playbook Image#

Block Account - Generic v2