MSEntraID#
README
Microsoft Entra ID Sign In Token Revoker Responder#
This responder allows you to revoke the session tokens for an Microsoft Entra ID user. Requires the UPN of the account in question, which should be entered as a "mail" observable in TheHive.
Config#
To enable the responder, you need three values: 1. Microsoft Entra ID Tenant ID 2. Application ID 3. Application Secret
The first two values can be found at any time in the application's Overview page in the Microsoft Entra ID portal. The secret must be generated and then stored in a safe place, as it is only fully visible when you first make it.
Setup#
Prereqs#
User account with the Cloud Application Administrator role. User account with the Global Administrator Role (most of the steps can be done with only the Cloud App Administrator role, but the final authorization for its API permissions requires GA).
Steps#
Creation#
- Navigate to the Microsoft Entra ID Portal and sign in with the relevant administrator account.
- Navigate to App Registrations, and create a new registration.
- Provide a display name (this can be anything, and can be changed later). Click Register.
Secret#
- Navigate to Certificates and Secrets.
- Create a new client secret. Enter a relevant description and set a security-conscious expiration date.
- Copy the Value. This will only be fully visible for a short time, so you should immediately copy it and store it in a safe place.
API Permissions#
- Navigate to API permissions.
- Add the Directory.ReadWrite.All and User.ReadWrite.All permissions (Microsoft Graph API, application permissions).
-
Using a GA account, select the "Grant admin consent for TENANTNAME" button.
-
Place the relevant values into the config within Cortex.
MSEntraID_TokenRevoker#
Author: Daniel Weiner @dmweiner, revised by @jahamilto
License: AGPL-V3
Version: 1.1
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.microsoft.com/security/business/identity-access/microsoft-entra-id
Description#
Revoke all Microsoft Entra ID authentication session tokens for a User Principal Name.
Configuration#
| tenant_id | Microsoft Entra ID Tenant ID |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_id | Client ID/Application ID of Microsoft Entra ID Registered App |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| client_secret | Secret for Microsoft Entra ID Registered Application |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |