MSEntraID#
README
Microsoft Entra ID Sign In Retriever#
This responder allows you to revoke the session tokens for an Microsoft Entra ID user. Requires the UPN of the account in question, which should be entered as a "mail" oberservable in TheHive.
Config#
To enable the responder, you need three values: 1. Microsoft Entra ID Tenant ID 2. Application ID 3. Application Secret
The first two values can be found at any time in the application's Overview page in the Microsoft Entra ID portal. The secret must be generated and then stored in a safe place, as it is only fully visible when you first make it.
You can also specify the limits for how far back the analyzer requests sign ins. You can specify time and count for how many sign ins get returned.
Finally, you can specify a state and country/region. These are used as taxonomies. If you run a query on a particular user and they return a few out-of-state sign ins, a taxonomy label will be added to the observable to reflect that. Likewise for the country/region. By default, this analyzer does not support selecting multiple states or countries, so if you have more than one that users will be signing in to, feel free to leave them blank. If the value is not configured, then the analyzer will simply not use the taxonomies.
Setup#
Prereqs#
User account with the Cloud Application Administrator role. User account with the Global Administrator Role (most of the steps can be done with only the Cloud App Administrator role, but the final authorization for its API permissions requires GA).
Steps#
Creation#
- Navigate to the Microsoft Entra ID Portal and sign in with the relevant administrator account.
- Navigate to App Registrations, and create a new registration.
- Provide a display name (this can be anything, and can be changed later). Click Register.
Secret#
- Navigate to Certificates and Secrets.
- Create a new client secret. Enter a relevant description and set a security-conscious expiration date.
- Copy the Value. This will only be fully visible for a short time, so you should immediately copy it and store it in a safe place.
API Permissions#
- Navigate to API permissions.
- Add the Directory.Read.All, AuditLog.Read.All, and Policy.Read.ConditionalAccess permissions (Microsoft Graph API, application permissions).
-
Using a GA account, select the "Grant admin consent for TENANTNAME" button.
-
Place the relevant values into the config within Cortex.
Customization#
It is possible to add a color coding system to the long report as viewed from TheHive. Specifically, you can color code the Sign Ins table so that certain ones stand out.
Example#
Let's say you are in an organization where almost all of your users will be signing in from a single state. You could color code the table so that out-of-state sign ins are highlighted yellow, and out-of-country sign ins are highlighted in red. To enable customization like this, you must modify this analyzer's long.html to check for values within the full JSON report using the ng-style tag in the table body > table row element. An example exists as a comment in the long.html file at line 34.
MSEntraID_GetSignIns#
Author: @jahamilto
License: AGPL-V3
Version: 1.0
Supported observables types:
- mail
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Pull all Microsoft Entra ID sign ins for a user within the specified amount of time.
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| lookup_range | Check for sign ins in the last X days. Should be between 1 and 31 days. |
|---|---|
| Default value if not configured | 7 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| lookup_limit | Display no more than this many sign ins. |
|---|---|
| Default value if not configured | 12 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| state | Expected sign in state (used as a taxonomy when sign ins appear outside of this area). |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
| country | Expected sign in country or region (used as a taxonomy when sign ins appear outside of this area). |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
No template samples to display.