Azure Resource Graph
Azure Resource Graph Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of resources.
#
Authorize Cortex XSOAR for Azure Resource Graph (Self-Deployed Configuration)To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, see the Microsoft article.
#
AuthenticationTo enable and configure authentication using self deployed app, follow the Self-Deployed Application Authentication
For more details about the authentication used in this integration, see Microsoft Integrations - Authentication.
- After authorizing the Self-Deployed Application, you will get an ID, Token, and Key, which should be inserted in the integration instance configuration's corresponding fields. After giving consent, the application has to have a role assigned so it can access the relevant resources per subscription.
- In order to assign a role to the application after consent was given:
- Go to the Azure Portal UI.
- Go to Subscriptions, and then Access Control (IAM).
- Click "Add role assignment".
- Create a new role or select a role that includes permissions for the queries you plan to run.
- Select the Azure Resource Graph application. By default, Azure Applications aren't displayed in the available options. To find your application, search for the name and select it.
#
Client Credentials FlowFollow these steps for client-credentials configuration:.
- In the instance configuration, select the Use a self-deployed Azure application - Client Credentials Authorization Flow checkbox.
- Enter your Client ID in the ID (Client ID) parameter.
- Enter your Client Secret in the Key (Client Secret) parameter.
- Enter your Tenant ID in the Token (Tenant ID) parameter.
- Click Test to validate the URLs, token, and connection.
To use The Azure Resource Graph, you must have appropriate rights in Azure role-based access control (Azure RBAC) with at least read access to the resources you want to query. No results are returned if you don't have at least read permissions to the Azure object or object group.
#
Configure Azure Resource Graph in CortexParameter | Description | Required |
---|---|---|
Token / Tenant ID | Received from the authorization process or from the self-deployed configuration process (find the tenant ID in your app overview page in the Azure portal) | False |
Token / Tenant ID | False | |
ID / Client ID | Received from the authorization process or from the self-deployed configuration process. | False |
Key / Client Secret | False | |
Certificate Thumbprint | Used for certificate authentication. As appears in the "Certificates & secrets" page of the app. | False |
Private Key | Used for certificate authentication. The private key of the registered certificate. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
azure-rg-list-operations#
Base Commandazure-rg-list-operations
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of operations to return (Default is 50). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AzureResourceGraph.Operations | String | A list of available Azure Resource Graph operations permissions and descriptions. |
#
Command Example!azure-rg-list-operations limit=50
#
Context Example#
Human Readable OutputDisplay | Name |
---|---|
provider: Microsoft Resource Graph resource: Operation operation: Get Operations description: Gets the list of supported operations | Microsoft.ResourceGraph/operations/read |
provider: Microsoft Resource Graph resource: Resources operation: Query resources description: Submits a query on resources within specified subscriptions, management groups or tenant scope | Microsoft.ResourceGraph/resources/read |
#
azure-rg-query#
Base Commandazure-rg-query
#
InputArgument Name | Description | Required |
---|---|---|
query | The query to execute. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AzureResourceGraph.Query | String | Data returned from query. |
#
Command Example!azure-rg-query query="resources | where type == 'microsoft.network/publicipaddresses'| where properties['ipAddress'] == '11.22.33.44' | project name, id, tenantId, subscriptionId, resourceGroup | join kind=inner (resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionId, properties.managementGroupAncestorsChain) on subscriptionId"
#
Context Example#
Human Readable Outputid | name | properties_managementGroupAncestorsChain | resourceGroup | subscriptionId | tenantId |
---|---|---|---|---|---|
/subscriptions/1abc234d-12a3-12a3-12a3-1234abcde123/resourceGroups/test-vm-resource-group/providers/Microsoft.Network/publicIPAddresses/test-vm-1-ip | test-vm-1-ip | {'displayName': 'grand-child-managment-group', 'name': 'grand-child-managment-group'}, {'displayName': 'child-management-group', 'name': 'child-management-group'}, {'displayName': 'test-new-managment-group', 'name': 'test-new-managment-group'}, {'displayName': 'Tenant Root Group', 'name': 'a11111111-222-3333-12a3-1234abcde123'} | test-vm-resource-group | 1abc234d-12a3-12a3-12a3-1234abcde123 | a11111111-222-3333-12a3-1234abcde123 |
#
azure-rg-auth-resetRun this command if for some reason you need to rerun the authentication process.
#
Base Commandazure-rg-auth-reset
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.