Comments (14)
I love it, I think the geo location data in particular would be very helpful, it's easy to get and it is truly an enrichment of the entity.
The threat intel I think would be best in its own module since we want to make sure those insights flow all the way back to the initial playbook... because if initial playbook -calls-> module -calls-> enrichment then which module would bring the TI back to the initial playbook to make a decision based on the TI? I think we'd still need a TI one to do this.
from sentinelautomationmodules.
one other thing about that if(), at first I did it in a variable inside a loop and then did the switch on the variable value but that resulted in needing to enable concurrency control to 1. So i changed it to put it in the select array before the loop, now 'switch'ing on the property in the array so I could remove the concurrency control and it sped up the execution
from sentinelautomationmodules.
To reduce the risk of hitting the API limit, I added a property to trigger to prompt for the Geo Data enrichment, so for modules that don't need it we can do everything else in the module minus pulling the geo data.
from sentinelautomationmodules.
π€―Less than 3 sec exec time for a 5 entities array, that's neet!!
from sentinelautomationmodules.
if(not(empty(item()['properties']?['upnSuffix'])), 'UPN', if(not(empty(item()['properties']?['aadUserId'])), 'AADId', if(not(empty(item()['properties']?['sid'])), 'ObjectSid', if(not(empty(item()['properties']?['ntDomain'])), 'SamAccountName', if(contains(item()['properties']?['accountName'], ',DC='), 'DistinguishedName', 'Unknown'))))) π
What about an optional path in the IP side to geo locate the IP :) or even more about the IP? That way, all other modules could leverage the data as opposed as quering additional services or even the TI table on their side. Or is that too much out of scope? Maybe another module that does just that? Geo locate, reputation score and add all that to tags or comments? Well that maybe already exists... It's late I do a lot of free associations...
from sentinelautomationmodules.
@piaudonn the latest commit to the enrich_entities branch now adds Geo data to the IP entities. This introduces 2 dependencies
- Incident ARM Id needs to be sent to the Enrich-Entities Playbook
- Enrich-Entities Playbook needs Azure Sentinel Responder (actually, probably even Sentinel Reader would be fine but I didn't test it)
There is a limit of 100 queries/hr/account to the API which i think will be sufficient for most cases
It also removes the requirement that the host entities have an dnsDomain included... now the entity will succeed and provide the host name regardless.
The new return now looks like this:
{
"Accounts": [
{
"userPrincipalName": "[email protected]",
"id": "128bde25-5ba5-4532-9e56-81c42bc64c59",
"onPremisesSecurityIdentifier": "S-1-5-21-565363340-1337343146-2447627351-32655",
"onPremisesDistinguishedName": "CN=victim1,OU=Lab,OU=Org,DC=ad,DC=briandel,DC=ca",
"onPremisesDomainName": "ad.briandel.ca",
"onPremisesSamAccountName": "victim1"
}
],
"AccountsAllValid": false,
"AccountsInput": 2,
"AccountsValid": 1,
"Hosts": [
{
"DnsDomain": "",
"FQDN": "host02.",
"Hostname": "host02"
},
{
"DnsDomain": "contoso.com",
"FQDN": "host1.contoso.com",
"Hostname": "host1"
}
],
"HostsAllValid": true,
"HostsInput": 2,
"HostsValid": 2,
"IPs": [
{
"Address": "24.150.222.222",
"GeoData": {
"asn": "7992",
"carrier": "cogeco cable",
"city": "oakville",
"cityCf": 90,
"continent": "north america",
"country": "canada",
"countryCf": 99,
"ipAddr": "24.150.222.222",
"ipRoutingType": "fixed",
"latitude": "43.43135",
"longitude": "-79.76624",
"organization": "cogeco cable canada inc.",
"organizationType": "Internet Service Provider",
"region": "central canada",
"state": "ontario",
"stateCf": 95,
"stateCode": "on"
}
}
],
"IPsAllValid": true,
"IPsInput": 1,
"IPsValid": 1
}
from sentinelautomationmodules.
Ok, one more thing π... building on the idea of enriching the IP, I added (c47522c) additional user enrichments (title, department, onPremisesSyncEnabled, etc) Since we're in AAD anyways, might as well get some extra properties.
We can add more if needed and may be able to pull enough data that we can remove the need for User.Read.All on the modules that presently require it... not that it's a significant right, just may become redundant.
from sentinelautomationmodules.
Shall we share the vault then (like you suspected earlier) to use the Geo API?
I guess we could also store the lookup result into a Storage Account table to avoid looking up the same IP multiple times in a certain amount of time. Or is that adding to much complexity?
And what about getting an IsAADAdmin flag or something of the sort to denote a (permanent or not) privileged user?
π π³ β
from sentinelautomationmodules.
No APi key is needed.
We could cache results, would be fairly easy with table storage or similar but I think we can hold off on that for now
from sentinelautomationmodules.
I'll add the admin one for sure
from sentinelautomationmodules.
@piaudonn am i missing something or in the graph is there no way to pull admin roles by user? you have to do it by role?
Also, haven't committed yet but I've added the users' managed into the enrichment
from sentinelautomationmodules.
Indeed, in my scripts doing these I first export the list of /roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10' etc... and check if the user ID is in it.
from sentinelautomationmodules.
/roleManagement/directory/roleAssignments?$filter=principalId%20eq%20'0963f2f3-b647-43fd-b6be-8dd00f39419c'&$expand=roleDefinition
Drop all the returned data except displayName?
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments(roleDefinition())",
"value": [
{
"id": "4-PYiFWPHkqVOpuYmLiHa_PyYwlHtv1Dtr6N0A85QZw-1",
"principalId": "0963f2f3-b647-43fd-b6be-8dd00f39419c",
"directoryScopeId": "/",
"roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
"roleDefinition": {
"id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
"description": "Can read basic directory information. Commonly used to grant directory read access to applications and guests.",
"displayName": "Directory Readers",
"isBuiltIn": true,
"isEnabled": true,
"resourceScopes": [
"/"
],
"templateId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/administrativeUnits/standard/read",
"microsoft.directory/administrativeUnits/members/read",
"microsoft.directory/applications/standard/read",
"microsoft.directory/applications/owners/read",
"microsoft.directory/applications/policies/read",
"microsoft.directory/contacts/standard/read",
"microsoft.directory/contacts/memberOf/read",
"microsoft.directory/contracts/standard/read",
"microsoft.directory/devices/standard/read",
"microsoft.directory/devices/memberOf/read",
"microsoft.directory/devices/registeredOwners/read",
"microsoft.directory/devices/registeredUsers/read",
"microsoft.directory/directoryRoles/standard/read",
"microsoft.directory/directoryRoles/eligibleMembers/read",
"microsoft.directory/directoryRoles/members/read",
"microsoft.directory/domains/standard/read",
"microsoft.directory/groups/standard/read",
"microsoft.directory/groups/appRoleAssignments/read",
"microsoft.directory/groups/memberOf/read",
"microsoft.directory/groups/members/read",
"microsoft.directory/groups/owners/read",
"microsoft.directory/groups/settings/read",
"microsoft.directory/groupSettings/standard/read",
"microsoft.directory/groupSettingTemplates/standard/read",
"microsoft.directory/oAuth2PermissionGrants/standard/read",
"microsoft.directory/organization/standard/read",
"microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
"microsoft.directory/applicationPolicies/standard/read",
"microsoft.directory/roleAssignments/standard/read",
"microsoft.directory/roleDefinitions/standard/read",
"microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
"microsoft.directory/servicePrincipals/appRoleAssignments/read",
"microsoft.directory/servicePrincipals/standard/read",
"microsoft.directory/servicePrincipals/memberOf/read",
"microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
"microsoft.directory/servicePrincipals/owners/read",
"microsoft.directory/servicePrincipals/ownedObjects/read",
"microsoft.directory/servicePrincipals/policies/read",
"microsoft.directory/subscribedSkus/standard/read",
"microsoft.directory/users/standard/read",
"microsoft.directory/users/appRoleAssignments/read",
"microsoft.directory/users/deviceForResourceAccount/read",
"microsoft.directory/users/directReports/read",
"microsoft.directory/users/licenseDetails/read",
"microsoft.directory/users/manager/read",
"microsoft.directory/users/memberOf/read",
"microsoft.directory/users/oAuth2PermissionGrants/read",
"microsoft.directory/users/ownedDevices/read",
"microsoft.directory/users/ownedObjects/read",
"microsoft.directory/users/photo/read",
"microsoft.directory/users/registeredDevices/read",
"microsoft.directory/users/scopedRoleMemberOf/read"
],
"condition": null
}
]
}
}
]
}
from sentinelautomationmodules.
@piaudonn ok, I'm merging the first version into main. additional api permission is required for the roles, it's in the powershell script and readme. I'm sure there's still work to do here but I think it's stable enough to start porting modules over to it. File an issues you see
from sentinelautomationmodules.
Related Issues (20)
- [Feature] MITRE Tactics Scoring Adjustment HOT 4
- [BUG] File Insights - Module fails when file entities are passed but no file hashes HOT 3
- [BUG] File Module - File profile function inconsistencies HOT 2
- [BUG] Issues when deploying Grant Permissions script HOT 6
- STAT Support in DoD HOT 6
- STAT v2 - Migrate MDE Module
- Deployment via Azure Lighthouse HOT 2
- STAT v2 - Update Sample Template
- Allow for use of User Assigned Managed Identity HOT 3
- STAT v2 Preview - Problems with the Sample-STAT-Triage Playbooks HOT 2
- Run playbook module error 400 bad request HOT 7
- [QUESTION] Get-MDEInsights Module Issue HOT 10
- [Feature] GrantPermissions - Fail if Connect-MgGraph or Login-AzAccount fail HOT 1
- STATv2 - Remove App Insights from Deployment
- [QUESTION] STATv2 preview without public storage account HOT 1
- [BUG] Wrong data in "ID" variable from MDE-Module - STAT v2 HOT 4
- [QUESTION] STAT V2 AAD Risk Module 403 Forbidden HOT 2
- [BUG] Deploy - Deploy/GrantPermissions.ps1 does not work HOT 8
- [BUG] MDE - Links to entities are broken HOT 2
- [BUG] Base Module - custom entity array incorrectly processed HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sentinelautomationmodules.