https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504794#M992 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208955">@pottapitot</a>, you can use the extend context option to save the data to the context in the&nbsp;<SPAN>DatetimetoADTime step. Then use that context key token in the following step. Use "data=" to dump all command output into the context key. For more information&nbsp;refer -&nbsp;<A href="https://xsoar.pan.dev/docs/playbooks/playbooks-extend-context" target="_blank">https://xsoar.pan.dev/docs/playbooks/playbooks-extend-context</A></SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-06-20 at 12.32.03 pm.png" style="width: 596px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41889i435616C4CCC0C6C7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2022-06-20 at 12.32.03 pm.png" alt="Screen Shot 2022-06-20 at 12.32.03 pm.png" /></span></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 20 Jun 2022 02:34:51 GMT jfernandes1 2022-06-20T02:34:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504495#M985 <P>Hi,</P><P>I am trying to create a playbook that</P><P>1) Searches for expired accounts in AD</P><P>2) Retrieves the sAMAccountName, Display name and expired date</P><P>3) Delete the accounts&nbsp;</P><P>4) Sent an email notification with the details of the accounts deleted.</P><P>&nbsp;</P><P>I created the ldap query for the same and one factor was to get the current time to use in the query.</P><P>There is a function call DateTimetoADTime in XSOAR which can be used for that.</P><P>&nbsp;</P><P>The LDAP query is as follows</P><P>(&amp;(objectCategory=person)(objectClass=user)(!accountExpires=9223372036854775807)(!accountExpires=0))</P><P>&nbsp;</P><P>I get the current date in AD format using</P><P>DatetimetoADTime days_ago=0</P><P>&nbsp;</P><P>I append to the LDAP query above to get the result using ad-search (xsoar function) like so</P><P>(&amp;(objectCategory=person)(objectClass=user)(!accountExpires=9223372036854775807)(!accountExpires=0))(accountExpires&lt;=&lt;output given from DatetimetoADTime&gt;)</P><P>&nbsp;</P><P>This works in the playground where I get the display names only though.</P><P>&nbsp;</P><P>I tried to make a playbook out of this but I am stuck at the step after using the DateTimetoADTime, how do I give the value as input to ad-search to retrieve the users and also get the details of each user (sAMAccountName, Display name and expired date), then give the same as output to be deleted?</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P> Fri, 17 Jun 2022 16:08:04 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504495#M985 pottapitot 2022-06-17T16:08:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504794#M992 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208955">@pottapitot</a>, you can use the extend context option to save the data to the context in the&nbsp;<SPAN>DatetimetoADTime step. Then use that context key token in the following step. Use "data=" to dump all command output into the context key. For more information&nbsp;refer -&nbsp;<A href="https://xsoar.pan.dev/docs/playbooks/playbooks-extend-context" target="_blank">https://xsoar.pan.dev/docs/playbooks/playbooks-extend-context</A></SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-06-20 at 12.32.03 pm.png" style="width: 596px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41889i435616C4CCC0C6C7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2022-06-20 at 12.32.03 pm.png" alt="Screen Shot 2022-06-20 at 12.32.03 pm.png" /></span></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 20 Jun 2022 02:34:51 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504794#M992 jfernandes1 2022-06-20T02:34:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504935#M994 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208028">@jfernandes1</a>&nbsp;,</P><P>&nbsp;</P><P>That was exactly what I was looking for.&nbsp;Thanks alot.</P><P>&nbsp;</P><P>Cheers</P> Mon, 20 Jun 2022 16:34:30 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-to-search-ad-expired-accounts-and-delete-them/m-p/504935#M994 pottapitot 2022-06-20T16:34:30Z