Add AD and Entra compromised-user kill-switch containment playbook

[ISchisel-LFI]

Summary

This PR adds an Active Directory and Microsoft Entra-specific compromised-user containment playbook.

The playbook is intended to complement the existing SOC Identity Containment_V3 framework playbook, not replace it. SOC Identity Containment_V3 provides generic identity containment routing, while this contribution provides a focused AD/Entra implementation with validation, guardrails, dry-run behavior, approval gating, verification, and case-note generation.

If maintainers prefer, this can be refactored into a sub-playbook called by SOC Identity Containment_V3 rather than added as a standalone playbook.

Content added

Playbook

• Compromised User Kill Switch Containment - Entra and Active Directory

Helper automations

• ValidateCompromisedUserContainmentInputs
• NormalizeCompromisedUserIdentifier
• CollectCompromisedUserContext
• ProtectedAccountContainmentGuard
• VerifyADCompromisedUserContainment
• SetCompromisedUserContainmentActionStatus
• ResetEntraAuthenticationMethods
• VerifyEntraCompromisedUserContainment
• AppendADContainmentDescriptionNote
• BuildCompromisedUserContainmentVerdict
• GenerateCompromisedAccountContainmentCaseNotes

What the playbook does

The playbook supports compromised-user containment for AD and Microsoft Entra environments.

High-level workflow:

1. Validates required user inputs.
2. Normalizes the compromised-user identifier.
3. Looks up the user in Active Directory and Microsoft Entra.
4. Collects account context.
5. Checks protected-account guardrails.
6. Requires approval before high-impact actions.
7. Supports dry-run mode.
8. Disables the AD account when selected.
9. Expires the AD password when selected.
10. Disables the Entra account when selected.
11. Revokes Entra sessions when selected.
12. Resets Entra authentication methods when selected.
13. Verifies containment results.
14. Appends AD containment notes.
15. Generates final containment verdict and analyst case notes.

Required integrations / dependencies

This playbook requires identity integrations capable of supporting the following command families:

• Active Directory user lookup/update commands
• Microsoft Graph / Entra ID user lookup commands
• Microsoft Graph / Entra ID session revocation commands
• Microsoft Graph / Entra ID authentication method reset commands

Known command dependencies include:

• ad-get-user
• ad-update-user
• msgraph-user-get
• azure-ad-get-user
• msgraph-user-*-method-* commands

Safety controls

• RequireApproval defaults to true.
• DryRun defaults to true.
• Protected-account guardrails are checked before containment actions.
• The playbook includes verification steps after AD and Entra containment actions.
• The submitted content has been cleaned to remove tenant-specific domains, users, IDs, secrets, and internal URLs.

Relationship to existing framework content

I noticed that SOC Identity Containment_V3 already exists in the repository. This PR is not intended to duplicate or replace that playbook.

This contribution is intended as a concrete AD/Entra-specific containment implementation that could either:

1. Stand alone as a focused compromised-user kill-switch playbook, or
2. Be converted into a sub-playbook called by SOC Identity Containment_V3.

I am open to maintainer guidance on the preferred placement and integration pattern.

Testing

Tested in an XSIAM tenant before export.

Recommended reviewer validation:

• Run with DryRun=true.
• Confirm protected-account guardrails trigger as expected.
• Confirm approval is required before live containment.
• Confirm AD lookup and Entra lookup work for valid users.
• Confirm missing-user and malformed-user paths fail safely.
• Confirm containment verification and case-note generation complete successfully.