Azure Risky Users
Azure Risky Users Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Azure Risky Users provides access to all at-risk users and risk detections in Azure AD environment. This integration was integrated and tested with version 1.0 of Microsoft Graph Azure Risky Users.
#
AuthorizationIn order to connect to the Azure Risky Users use either the Cortex XSOAR Azure App or the Self-Deployed Azure App. In both options, the device authorization grant flow is used.
- Fill in the required parameters.
- Run the !azure-risky-users-auth-start command.
- Follow the instructions that appear.
- Run the !azure-risky-users-auth-complete command.
At end of the process you'll see a message that you've logged in successfully.
#
Azure ApplicationTo use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.
The application must have IdentityRiskEvent.Read.All , IdentityRiskEvent.ReadWrite.All, IdentityRiskyUser.Read.All, IdentityRiskyUser.ReadWrite.All and User.Read permissions and must allow public client flows (can be found under the Authentication section of the app).
#
Configure AzureRiskyUsers on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for AzureRiskyUsers.
Click Add instance to create and configure a new integration instance.
Parameter Required Use system proxy False Trust any certificate False Client ID True Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
azure-risky-users-auth-testTests the connectivity to Azure.
#
Base Commandazure-risky-users-auth-test
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!azure-risky-users-auth-test
#
Human Readable OutputSuccess!
#
azure-risky-users-auth-startRun this command to start the authorization process and follow the instructions in the command results.
#
Base Commandazure-risky-users-auth-start
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!azure-risky-users-auth-start
#
Human Readable Output#
Authorization instructions
- To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXX to authenticate.
- Run the !azure-risky-users-auth-complete command in the War Room.
#
azure-risky-users-auth-completeRun this command to complete the authorization process. Should be used after running the azure-risky-users-auth-start command.
#
Base Commandazure-risky-users-auth-complete
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!azure-risky-users-auth-complete
#
Human Readable OutputAuthorization completed successfully.
#
azure-risky-users-auth-resetRun this command if for some reason you need to rerun the authentication process.
#
Base Commandazure-risky-users-auth-reset
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!azure-risky-users-auth-reset
#
Human Readable OutputAuthorization was reset successfully. Run !azure-risky-users-auth-start to start the authentication process.
#
azure-risky-users-listList all risky users and their properties.
#
Base Commandazure-risky-users-list
#
InputArgument Name | Description | Required |
---|---|---|
risk_state | Risk State to retrieve. If not specified, all states will be retrieved. Possible values are: atRisk, confirmedCompromised, remediated, dismissed. | Optional |
limit | Limit of results to retrieve. Default is 50. | Optional |
page | Page number. Default is 1. | Optional |
risk_level | Specify to get only results with the same Risk Level. Possible values are: low, medium, high. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AzureRiskyUsers.RiskyUser.id | String | Unique ID of the user at risk. |
AzureRiskyUsers.RiskyUser.userDisplayName | String | Risky user display name. |
AzureRiskyUsers.RiskyUser.userPrincipalName | String | Risky user principal name. |
AzureRiskyUsers.RiskyUser.riskLevel | String | Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
AzureRiskyUsers.RiskyUser.riskState | String | State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised. |
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTime | Date | The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskyUser.isDeleted | Boolean | Indicates whether the user is deleted. |
AzureRiskyUsers.RiskyUser.isProcessing | Boolean | Indicates whether a user's risky state is being processed by the backend. |
AzureRiskyUsers.RiskyUser.riskDetail | String | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
#
Command Example!azure-risky-users-list limit=2
#
Context Example#
Human Readable Output#
Risky Users ListCurrent page size: 2 Showing page 1 out others that may exist |Id|User Display Name|User Principal Name|Risk Level|Risk State|Risk Detail|Risk Last Updated Date Time| |---|---|---|---|---|---|---| | 111 | Or Israeli | ori@test.com | none | dismissed | adminDismissedAllRiskForUser | 2021-08-09T11:47:58.5581222Z | | 222 | Elad Israeli | EladI@test.com | none | remediated | userPerformedSecuredPasswordReset | 2020-11-05T18:35:39.2628939Z |
#
azure-risky-user-getRetrieve properties and relationships of a Risky User.
#
Base Commandazure-risky-user-get
#
InputArgument Name | Description | Required |
---|---|---|
id | Risky user ID to retrieve. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AzureRiskyUsers.RiskyUser.id | String | Unique ID of the user at risk. |
AzureRiskyUsers.RiskyUser.userDisplayName | String | Risky user display name. |
AzureRiskyUsers.RiskyUser.userPrincipalName | String | Risky user principal name. |
AzureRiskyUsers.RiskyUser.riskLevel | String | Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
AzureRiskyUsers.RiskyUser.riskState | String | State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised. |
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTime | Date | The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskyUser.isDeleted | Boolean | Indicates whether the user is deleted. |
AzureRiskyUsers.RiskyUser.isProcessing | Boolean | Indicates whether a user's risky state is being processed by the backend. |
AzureRiskyUsers.RiskyUser.riskDetail | String | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
#
Command Example!azure-risky-user-get id=333
#
Context Example#
Human Readable Output#
Found Risky User With ID: 333
Id User Display Name User Principal Name Risk Level Risk State Risk Detail Risk Last Updated Date Time 333 Yossi Israeli yossi@test.com none remediated userPerformedSecuredPasswordReset 2020-10-05T12:12:17.2115592Z
#
azure-risky-users-risk-detections-listGet a list of the riskDetection objects and their properties.
#
Base Commandazure-risky-users-risk-detections-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | Limit of results to retrieve. Possible values are: . Default is 50. | Optional |
page | Page number. Default is 1. | Optional |
risk_state | Risk State to retrieve. If not specified, all states will be retrieved. Possible values are: atRisk, confirmedCompromised, remediated, dismissed, confirmedSafe. | Optional |
risk_level | Specify to get only results with the same Risk Level. Possible values are: low, medium, high. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AzureRiskyUsers.RiskDetection.id | String | Unique ID of the risk detection. Inherited from entity. |
AzureRiskyUsers.RiskDetection.userId | String | Unique ID of the user. |
AzureRiskyUsers.RiskDetection.userDisplayName | String | The user display name of the user. |
AzureRiskyUsers.RiskDetection.userPrincipalName | String | The user principal name (UPN) of the user. |
AzureRiskyUsers.RiskDetection.riskDetail | String | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.riskEventType | String | The type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic |
AzureRiskyUsers.RiskDetection.riskLevel | String | Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.riskState | String | The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.ipAddress | String | Provides the IP address of the client from where the risk occurred. |
AzureRiskyUsers.RiskDetection.source | String | Source of the risk detection. For example, activeDirectory. |
AzureRiskyUsers.RiskDetection.detectionTimingType | String | Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.lastUpdatedDateTime | Date | Date and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.location | String | Location of the sign-in. |
AzureRiskyUsers.RiskDetection.activity | String | Indicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.activityDateTime | Date | Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.additionalInfo | String | Additional information associated with the risk detection in JSON format. |
AzureRiskyUsers.RiskDetection.correlationId | String | Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
AzureRiskyUsers.RiskDetection.detectedDateTime | Date | Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.requestId | String | Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
AzureRiskyUsers.RiskDetection.tokenIssuerType | String | Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue. |
#
Command Example!azure-risky-users-risk-detections-list limit=2
#
Context Example#
Human Readable Output#
Risk Detections ListCurrent page size: 2 Showing page 1 out others that may exist |Id|User Id|User Display Name|User Principal Name|Risk Detail|Risk Event Type|Risk Level|Risk State|Risk Detail|Last Updated Date Time|Ip Address| |---|---|---|---|---|---|---|---|---|---|---| | 555 | 777 | Shalev Israeli | ShalevI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-20T03:53:58.853418Z | 1.1.1.1 | | 888 | 999 | Svetlana Israeli | SvetlanaI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-27T19:19:44.4975416Z | 1.1.1.1 |
#
azure-risky-users-risk-detection-getRead the properties and relationships of a riskDetection object.
#
Base Commandazure-risky-users-risk-detection-get
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of risk detection to retrieve. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AzureRiskyUsers.RiskDetection.id | String | Unique ID of the risk detection. Inherited from entity. |
AzureRiskyUsers.RiskDetection.userId | String | Unique ID of the user. |
AzureRiskyUsers.RiskDetection.userDisplayName | String | The user display name of the user. |
AzureRiskyUsers.RiskDetection.userPrincipalName | String | The user principal name (UPN) of the user. |
AzureRiskyUsers.RiskDetection.riskDetail | String | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.riskEventType | String | The type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic |
AzureRiskyUsers.RiskDetection.riskLevel | String | Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.riskState | String | The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.ipAddress | String | Provides the IP address of the client from where the risk occurred. |
AzureRiskyUsers.RiskDetection.source | String | Source of the risk detection. For example, activeDirectory. |
AzureRiskyUsers.RiskDetection.detectionTimingType | String | Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.lastUpdatedDateTime | Date | Date and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.location | String | Location of the sign-in. |
AzureRiskyUsers.RiskDetection.activity | String | Indicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue. |
AzureRiskyUsers.RiskDetection.activityDateTime | Date | Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.additionalInfo | String | Additional information associated with the risk detection in JSON format. |
AzureRiskyUsers.RiskDetection.correlationId | String | Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
AzureRiskyUsers.RiskDetection.detectedDateTime | Date | Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z |
AzureRiskyUsers.RiskDetection.requestId | String | Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
AzureRiskyUsers.RiskDetection.tokenIssuerType | String | Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue. |
#
Command Example!azure-risky-users-risk-detection-get id=6565
#
Context Example#
Human Readable Output#
Found Risk Detection with ID: 6565
Id User Id User Display Name User Principal Name Risk Detail Risk Event Type Risk Level Risk State Ip Address Detection Timing Type Last Updated Date Time Location 6565 999 Svetlana Israeli SvetlanaI@test.com userPassedMFADrivenByRiskBasedPolicy unfamiliarFeatures low remediated 3.3.3.3 realtime 2021-07-03T13:38:04.6531838Z city: Lviv
state: L'vivs'ka Oblast'
countryOrRegion: UA
geoCoordinates: {"latitude": 49, "longitude": 24}