We’re looking to integrate Microsoft Graph API in our workflows - actions like POSTing to confirm a user as compromised in Azure AD.
From reading what other’s have mentioned, the safest and most flexible option seems to be using the Python3 plugin, since there’s no native connection for it. However, we don’t want to send over any secrets, keys, or ID’s over plaintext within logs. I understand using Global Artifacts and workflow parameters aren’t ideal either.
Anyone have recommendations or experience in implementing this securely and effectively?
You can input your api secret key in the secret key field within the python connection. That leaves you the username and password field still. I don’t know that you will need username or password, so you could use those two fields as well for your app id and tenant id.
I’ve put in an enhancement request asking to have two additional fields for this specific reason. I’ll follow up with the team tomorrow and see if it has made any traction up the priority board.
If you wanted to use some form of encryption when storing your data in your Global Artifact, that keeps it more secure while in the GA, but it is still going to be stored within your job data.
If you look at the responses from some of those Graph calls, what you want to keep sensitive is actually returned in the call, so be aware. For example, I think Tenant ID is part of the payload for some defender alerts.
I’m actually jumping on the compromised user train here, too, and was wondering if this was possibly an enhancement request to be added to the Azure Active Directory plugin to confirm a user as compromised? Seems like a really good function to have - especially as a “take action” within InsightIDR.
Thanks for the feedback Eric.
Can you elaborate? When you say confirm a user as compromised you are saying to update some attribute on the user, or there is an attribute already that says the user is compromised?
I don’t believe it’s an attribute, but that’s not to say it could be one I just haven’t discovered yet. It appears to be a list hosted within Azure.
https://learn.microsoft.com/en-us/graph/api/riskyuser-get?view=graph-rest-1.0&tabs=http
On the user-side, this is a function that an analyst would select when responding to a “risky user” detection (risky sign-in behavior). Technically what this triggers is a few changes to the user’s status, which used to simply be…
- marking user account as high risk
- user risk level is elevated in Identity Protection
- user is prompted to change password
However, new Entra contitional access policies now refer to a user’s risk level which then triggers User risk policies. I honestly can’t confirm if this is all still based on a user’s risk level being set to high risk.
After I researched this while writing it out, it appears that this may be an action that’s called “confirm risky user” but is actually setting a user’s risk level within Azure.
So your goal would be to have the option to set that users risk level?
I can look into that. The fastest way is going to be with the Python plugin. If I can get this working I will share with the thread so anyone can leverage it. I assume this is available to any version of Microsoft License, or it would only work with a certain user level license?
It looks like this might require at minimum a Microsoft Entra ID P2 license, but it’s always been a pretty standard feature.
Ya, I am trying to build it out in my demo and I am getting an error saying my tenant isn’t licensed.
List Risky User & Risk Detections Python Steps.snpt (7.2 KB)
I’ve attached a Snippet to list Risk Detections and List Risky Users.
That should be enough to get you started. They are two different python steps. Both need to have specific application permissions:
Detections needs: IdentityRiskEvent.Read.All
Users needs: IdentityRiskyUser.Read.All
I was going to build it so I can:
List the risky users,
Get the specific risky user
And then confirm the risky users
We already have a trigger for the Azure AD Admin plugin to trigger for new risk events, but for testing purposes I was going to just list the risk detections and use that output.
Let me know how it goes.
A new update is available to the python plugin that should help you out.
Absolute legends - thank you!