Huntress EDR: AD Account Lockdown Crate

If you’re new to Crates, read through our introductory Crate documentation here. Find the Crate in our Crate Marketplace.

What does the Huntress EDR: AD Account Lockdown Crate do?

This crate identifies the last logged-on user from a compromised Huntress device and automatically adds a ticket note with a direct link to disable the corresponding Active Directory account. This is only applicable to non-administrator accounts.

How the Crate works

The device name and Huntress organization name are parsed from the Isolated Critical EDR ticket title created by huntress, using regex. You must have your PSA setup as a integration within huntress.
The correct Rewst organization ID is pulled from the mapped Huntress integration using the Huntress organization name.
It queries the RMM to identify the last logged-in user.
It pulls user group membership from Active Directory through PowerShell.
A webhook updates the ticket with a link to disable the user.
When clicked, a PowerShell script disables the user’s on-premises Active Directory account.
A note is added to the ticket confirming the action.
If the account belongs to an administrator group, it is not disabled.
The ticket is updated to indicate the account’s administrator status.

Crate prerequisites

Your PSA must be successfully integrated with Rewst before unpacking this Crate. PSAs that are compatible with this Crate are:
Your RMM must be successfully integrated with Rewst before unpacking this Crate. RMMs that are compatible with this Crate are:
Your Rewst Huntress integration must be set up and operational before unpacking this Crate.

Unpack the Huntress EDR: AD Account Lockdown Crate

Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.
Search for Huntress EDR: AD Account Lockdown .
Click on the Crate tile to begin unpacking.
Click Unpack.
Click Continue.
Choose the PSA that corresponds with your tool stack. Click on its accordion menu to expand its settings.
Toggle the trigger for your PSA on.
Click Unpack.

Test the Crate

Huntress' documentation on how to simulate an EDR event can be found here.

Log in to your Huntress account.
Simulate an EDR incident to create a dummy ticket in your PSA.
Navigate to Automations > Workflows in the left side menu of your Rewst platform.
Search for the workflow [REWST - TASK] Huntress EDR: AD Account Lockdown.
Click on the workflow to open it in the workflow builder.
Click to view workflow results.
Examine the results to ensure that actions were executed as expected.
Return to your Huntress account. Check the ticket to confirm that it contains updated information after the running of the workflow.

Got an idea for a new Crate? Rewst is constantly adding new Crates to our Crate Marketplace. Submit your idea or upvote existing ideas here in our Canny feedback collector.

PreviousExport Intune Policies and Configurations Crate NextIdentify Users in Bypass Mode Crate

Last updated 6 days ago

Was this helpful?