{
  "Comment": "Step Function initiated by GuardDuty by EventBridge to find Linux user and disable in Active Directory",
  "StartAt": "Choice",
  "States": {
    "Choice": {
      "Type": "Choice",
      "Choices": [
        {
          "Variable": "$.detail.service.runtimeDetails.process.euid",
          "IsPresent": true,
          "Next": "Find Username"
        }
      ],
      "Default": "No UserID found."
    },
    "Find Username": {
      "Type": "Task",
      "Parameters": {
        "DocumentName": "GetUsernameFromID",
        "Parameters": {
          "UserId.$": "States.Array(States.JsonToString($.detail.service.runtimeDetails.process.euid))"
        },
        "Targets": [
          {
            "Key": "InstanceIds",
            "Values.$": "States.Array($.detail.resource.instanceDetails.instanceId)"
          }
        ]
      },
      "Resource": "arn:aws:states:::aws-sdk:ssm:sendCommand",
      "Next": "Wait",
      "ResultPath": "$.RunCommand.State"
    },
    "Wait": {
      "Type": "Wait",
      "Seconds": 5,
      "Next": "Get Username"
    },
    "Get Username": {
      "Type": "Task",
      "Parameters": {
        "CommandId.$": "$.RunCommand.State.Command.CommandId",
        "InstanceId.$": "$.detail.resource.instanceDetails.instanceId"
      },
      "Resource": "arn:aws:states:::aws-sdk:ssm:getCommandInvocation",
      "Next": "Disable AD User",
      "ResultSelector": {
        "StandardOutputContent.$": "States.StringSplit($.StandardOutputContent,'\n')"
      }
    },
    "Disable AD User": {
      "Type": "Task",
      "Parameters": {
        "DocumentName": "DisableADUser",
        "Parameters": {
          "UserName.$": "$.StandardOutputContent"
        },
        "Targets": [
          {
            "Key": "InstanceIds",
            "Values": [
              "i-0b22a22eec53b9321"
            ]
          }
        ]
      },
      "Resource": "arn:aws:states:::aws-sdk:ssm:sendCommand",
      "End": true
    },
    "No UserID found.": {
      "Type": "Pass",
      "End": true
    }
  }
}