I am trying to create a workflow within InsightConnect to reset password and revoke sessions within Entra ID when a certain rule is generated using the Entra ID plugin. I am using the “InsightIDR Detection Rule” action item and selected the “MS Defender Azure AD Identity Protection - C2C - Malicious IP address” rule under the “Third Party Alert” source. This has multiple output fields such as:
The Entra ID plugin needs a user id to know which user it is modifying. I originally used the attribute below:
{{[“Malicious IP Sign Ins - Microsoft Defender”].[alert].[user]}}
However, it failed with the error of:
Step error: Plugin step input contained a null value or empty string in a required input
Invalid input was found in: user_id
I am guessing that the attribute above doesn’t contain anything, and as a result, the plugin cannot find the user to reset password / revoke session. I then created a dummy workflow with just the first step of “InsightIDR Detection Rule” action and selected the rule above. When testing the workflow, it has multiple input options such as:
detection rule → Rrn
detection rule → Name
alert → alert id
My goal was to use an existing alert that was trigerred by the “MS Defender Azure AD Identity Protection - C2C - Malicious IP address” earlier today to pull the values and see if I can figure out which output field I should use to retrieve the email address, but nothing is being returned when filling out some of these fields, such as adding the alert id.
When looking at the actual alert details, I don’t see any fields that matches the output fields of the “InsightIDR Detection Rule” action item. The only key that has the user’s email address is:
Which isn’t part of the output attributes. I also don’t have an option to edit the output and add my own ones.
Anyone has any input on which attribute contains the email address or why when testing the workflow when providing some of the values, nothing is being returned?
The best thing for you to do when first starting a workflow and not familiar with the output is to setup the trigger and then enable the workflow. Once the workflow has triggered a job in InsightConnect you will get a better handle on the JSON structure of the payload and use handlebars to input the correct variable. If you cannot trigger a job from IDR to InsightConnect you may be able to copy the alert details from the Evidence of an Alert in IDR into InsightConnect, but this is prone to error since it has to look exact.
If you don’t want to mess with any of that you could always use the extractit plugin to extract emails from the Alert Object of the trigger and use the output of that action for your Azure action.
Thank you for letting me know about the plug in, I will give it a shot! This one is a little bit tricky to trigger since I would need to sign in from a malicious IP, so I will see if I can wait for the alert to be triggered again. One question that I have, is it possible to use your own “input” (aka schema triggers) values that isn’t defined?
For example, when using the IDR action for MS related alerts, it provides a list of available trigger schema. However, this schema does not contain the actual ID of the alert within the Microsoft Defender portal. What I would like to do is that once the session is revoked / password is reset, is to have InsightConnect also add a comment to the alert in the MS Defender portal stating that such action was taken. The only thing that I see the closest to the alert id is:
Alert.alert id --. {{[alert].[alert_id]}}
But when looking at the output of the workflow, this appears to be the ID of the InsightIDR alert rather than the ID of the MS Defender alert. The MS Defender alert ID appears to be in the following structure (incidentId):
alert{
"alert_id : "adab7178.....",
"description" : "Sign-in from an IP address known to be malicious during or around the time of sign-in",
"product" : "AAD_IDENTITY_PROTECTION",
"severity" : "High".
"source_json": { "incidentId": "51308"}
So could I do something like this:
{{[alert].[source_json].[incidentId]}}
Despite it not being defined in the trigger schema? I am not able to modify the existing available trigger schema for the IDR third party alert action, and I wasn’t sure if I could use my own “schema” even if it is not defined.
If you look in a job and you see the value you want, but you don’t see the value you want when you go to select a variable, you just get as close as you can.
In your scenario if you wanted incident id you would get as close to incidentID as you can using the variable picker. Perhaps that is source_json. So when you pick it you would have {{[“alert”].[source_json]}}. You would then modify it {{[“alert”].[source_json].[incidentId]}}.
If you type everything by hand and don’t select with the variable picker at all remember the step name is in “”. If your step name is alert every variable from that step output will be {{[“alert”].[something]}}.
I prefer to view the data in the jobs page using list view. If you have to drop down the arrow to see the data you want to get to, then you have to include that value in your variable.
If I want to grab the critical variable in my screenshot the closest I can get is the entire vulnerabilities object: {{["Get Scan"].[vulnerabilities]}}
To retrieve critical I would modify that variable as seen below: {{["Get Scan"].[vulnerabilities].[critical]}}
I think you already understand, just adding more context for anyone else looking at your thread trying to follow along and learn.
Thank you for the clarification! I went ahead and did that, so I will keep an eye on it next time the alert is triggered. It’s good to know that I can retrieve the values on my “own” without having to use the variable picker since it can sometimes be somewhat limited. Thank you for your help!
