Azure Risky Users

This Integration is part of the Azure Risky Users Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Azure Risky Users provides access to all at-risk users and risk detections in Azure AD environment. This integration was integrated and tested with version 1.0 of Microsoft Graph Azure Risky Users.

Authorization#

In order to connect to the Azure Risky Users use either the Cortex XSOAR Azure App or the Self-Deployed Azure App. In both options, the device authorization grant flow is used.

Fill in the required parameters.
Run the !azure-risky-users-auth-start command.
Follow the instructions that appear.
Run the !azure-risky-users-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Azure Application#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

The application must have IdentityRiskEvent.Read.All , IdentityRiskEvent.ReadWrite.All, IdentityRiskyUser.Read.All, IdentityRiskyUser.ReadWrite.All and User.Read permissions and must allow public client flows (can be found under the Authentication section of the app).

Configure AzureRiskyUsers on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for AzureRiskyUsers.
Click Add instance to create and configure a new integration instance.
Parameter Required
Use system proxy False
Trust any certificate False
Client ID True
Click Test to validate the URLs, token, and connection.

Parameter	Required
Use system proxy	False
Trust any certificate	False
Client ID	True

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-risky-users-auth-test#

Tests the connectivity to Azure.

Base Command#

azure-risky-users-auth-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-test

Human Readable Output#

Success!

azure-risky-users-auth-start#

Run this command to start the authorization process and follow the instructions in the command results.

Base Command#

azure-risky-users-auth-start

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-start

Human Readable Output#

Authorization instructions#
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXX to authenticate.
Run the !azure-risky-users-auth-complete command in the War Room.

azure-risky-users-auth-complete#

Run this command to complete the authorization process. Should be used after running the azure-risky-users-auth-start command.

Base Command#

azure-risky-users-auth-complete

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-complete

Human Readable Output#

Authorization completed successfully.

azure-risky-users-auth-reset#

Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-risky-users-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-reset

Human Readable Output#

Authorization was reset successfully. Run !azure-risky-users-auth-start to start the authentication process.

azure-risky-users-list#

List all risky users and their properties.

Base Command#

azure-risky-users-list

Input#

Argument Name	Description	Required
risk_state	Risk State to retrieve. If not specified, all states will be retrieved. Possible values are: atRisk, confirmedCompromised, remediated, dismissed.	Optional
limit	Limit of results to retrieve. Default is 50.	Optional
page	Page number. Default is 1.	Optional
risk_level	Specify to get only results with the same Risk Level. Possible values are: low, medium, high.	Optional

Context Output#

Path	Type	Description
AzureRiskyUsers.RiskyUser.id	String	Unique ID of the user at risk.
AzureRiskyUsers.RiskyUser.userDisplayName	String	Risky user display name.
AzureRiskyUsers.RiskyUser.userPrincipalName	String	Risky user principal name.
AzureRiskyUsers.RiskyUser.riskLevel	String	Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskyUser.riskState	String	State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised.
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTime	Date	The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskyUser.isDeleted	Boolean	Indicates whether the user is deleted.
AzureRiskyUsers.RiskyUser.isProcessing	Boolean	Indicates whether a user's risky state is being processed by the backend.
AzureRiskyUsers.RiskyUser.riskDetail	String	Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.

Command Example#

!azure-risky-users-list limit=2

Context Example#

{
    "AzureRiskyUsers": {
        "RiskyUser": [
            {
                "id": "111",
                "isDeleted": false,
                "isProcessing": false,
                "riskDetail": "adminDismissedAllRiskForUser",
                "riskLastUpdatedDateTime": "2021-08-09T11:47:58.5581222Z",
                "riskLevel": "none",
                "riskState": "dismissed",
                "userDisplayName": "Or Israeli",
                "userPrincipalName": "ori@test.com"
            },
            {
                "id": "222",
                "isDeleted": false,
                "isProcessing": false,
                "riskDetail": "userPerformedSecuredPasswordReset",
                "riskLastUpdatedDateTime": "2020-11-05T18:35:39.2628939Z",
                "riskLevel": "none",
                "riskState": "remediated",
                "userDisplayName": "Elad Israeli",
                "userPrincipalName": "EladI@test.com"
            }
        ]
    }
}

Human Readable Output#

Risky Users List#
Current page size: 2 Showing page 1 out others that may exist |Id|User Display Name|User Principal Name|Risk Level|Risk State|Risk Detail|Risk Last Updated Date Time| |---|---|---|---|---|---|---| | 111 | Or Israeli | ori@test.com | none | dismissed | adminDismissedAllRiskForUser | 2021-08-09T11:47:58.5581222Z | | 222 | Elad Israeli | EladI@test.com | none | remediated | userPerformedSecuredPasswordReset | 2020-11-05T18:35:39.2628939Z |

azure-risky-user-get#

Retrieve properties and relationships of a Risky User.

Base Command#

azure-risky-user-get

Input#

Argument Name	Description	Required
id	Risky user ID to retrieve.	Required

Context Output#

Path	Type	Description
AzureRiskyUsers.RiskyUser.id	String	Unique ID of the user at risk.
AzureRiskyUsers.RiskyUser.userDisplayName	String	Risky user display name.
AzureRiskyUsers.RiskyUser.userPrincipalName	String	Risky user principal name.
AzureRiskyUsers.RiskyUser.riskLevel	String	Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskyUser.riskState	String	State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised.
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTime	Date	The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskyUser.isDeleted	Boolean	Indicates whether the user is deleted.
AzureRiskyUsers.RiskyUser.isProcessing	Boolean	Indicates whether a user's risky state is being processed by the backend.
AzureRiskyUsers.RiskyUser.riskDetail	String	Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.

Command Example#

!azure-risky-user-get id=333

Context Example#

{
    "AzureRiskyUsers": {
        "RiskyUser": {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskyUsers/$entity",
            "id": "333",
            "isDeleted": false,
            "isProcessing": false,
            "riskDetail": "userPerformedSecuredPasswordReset",
            "riskLastUpdatedDateTime": "2020-10-05T12:12:17.2115592Z",
            "riskLevel": "none",
            "riskState": "remediated",
            "userDisplayName": "Yossi Israeli",
            "userPrincipalName": "yossi@test.com"
        }
    }
}

Human Readable Output#

Found Risky User With ID: 333#
Id User Display Name User Principal Name Risk Level Risk State Risk Detail Risk Last Updated Date Time
333 Yossi Israeli yossi@test.com none remediated userPerformedSecuredPasswordReset 2020-10-05T12:12:17.2115592Z

Id	User Display Name	User Principal Name	Risk Level	Risk State	Risk Detail	Risk Last Updated Date Time
333	Yossi Israeli	yossi@test.com	none	remediated	userPerformedSecuredPasswordReset	2020-10-05T12:12:17.2115592Z

azure-risky-users-risk-detections-list#

Get a list of the riskDetection objects and their properties.

Base Command#

azure-risky-users-risk-detections-list

Input#

Argument Name	Description	Required
limit	Limit of results to retrieve. Possible values are: . Default is 50.	Optional
page	Page number. Default is 1.	Optional
risk_state	Risk State to retrieve. If not specified, all states will be retrieved. Possible values are: atRisk, confirmedCompromised, remediated, dismissed, confirmedSafe.	Optional
risk_level	Specify to get only results with the same Risk Level. Possible values are: low, medium, high.	Optional

Context Output#

Path	Type	Description
AzureRiskyUsers.RiskDetection.id	String	Unique ID of the risk detection. Inherited from entity.
AzureRiskyUsers.RiskDetection.userId	String	Unique ID of the user.
AzureRiskyUsers.RiskDetection.userDisplayName	String	The user display name of the user.
AzureRiskyUsers.RiskDetection.userPrincipalName	String	The user principal name (UPN) of the user.
AzureRiskyUsers.RiskDetection.riskDetail	String	Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskEventType	String	The type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic
AzureRiskyUsers.RiskDetection.riskLevel	String	Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskState	String	The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.ipAddress	String	Provides the IP address of the client from where the risk occurred.
AzureRiskyUsers.RiskDetection.source	String	Source of the risk detection. For example, activeDirectory.
AzureRiskyUsers.RiskDetection.detectionTimingType	String	Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue.
AzureRiskyUsers.RiskDetection.lastUpdatedDateTime	Date	Date and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.location	String	Location of the sign-in.
AzureRiskyUsers.RiskDetection.activity	String	Indicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue.
AzureRiskyUsers.RiskDetection.activityDateTime	Date	Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.additionalInfo	String	Additional information associated with the risk detection in JSON format.
AzureRiskyUsers.RiskDetection.correlationId	String	Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.detectedDateTime	Date	Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.requestId	String	Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.tokenIssuerType	String	Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue.

Command Example#

!azure-risky-users-risk-detections-list limit=2

Context Example#

{
    "AzureRiskyUsers": {
        "RiskDetection": [
            {
                "activity": "signin",
                "activityDateTime": "2021-06-20T03:51:32.9572792Z",
                "additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; VKY-L29 Build/HUAWEIVKY-L29) ;VKY-L29\"}]",
                "correlationId": "aaaa1111",
                "detectedDateTime": "2021-06-20T03:51:32.9572792Z",
                "detectionTimingType": "realtime",
                "id": "555",
                "ipAddress": "1.1.1.1",
                "lastUpdatedDateTime": "2021-06-20T03:53:58.853418Z",
                "location": {
                    "city": "Pisgat Ze'ev",
                    "countryOrRegion": "IL",
                    "geoCoordinates": {
                        "latitude": 31,
                        "longitude": 35
                    },
                    "state": "Yerushalayim"
                },
                "requestId": "bbbb1111",
                "riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
                "riskEventType": "unfamiliarFeatures",
                "riskLevel": "low",
                "riskState": "remediated",
                "source": "IdentityProtection",
                "tokenIssuerType": "AzureAD",
                "userDisplayName": "Shalev Israeli",
                "userId": "777",
                "userPrincipalName": "ShalevI@test.com"
            },
            {
                "activity": "signin",
                "activityDateTime": "2021-06-27T19:16:19.9976898Z",
                "additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; SM-G950F Build/PPR1.180610.011) ;SM-G950F\"}]",
                "correlationId": "aaaa2222",
                "detectedDateTime": "2021-06-27T19:16:19.9976898Z",
                "detectionTimingType": "realtime",
                "id": "888",
                "ipAddress": "1.1.1.1",
                "lastUpdatedDateTime": "2021-06-27T19:19:44.4975416Z",
                "location": {
                    "city": "Dniprodzerzhyns'k",
                    "countryOrRegion": "UA",
                    "geoCoordinates": {
                        "latitude": 48,
                        "longitude": 34
                    },
                    "state": "Dnipropetrovs'ka Oblast'"
                },
                "requestId": "bbbb2222",
                "riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
                "riskEventType": "unfamiliarFeatures",
                "riskLevel": "low",
                "riskState": "remediated",
                "source": "IdentityProtection",
                "tokenIssuerType": "AzureAD",
                "userDisplayName": "Svetlana Israeli",
                "userId": "999",
                "userPrincipalName": "SvetlanaI@test.com"
            }
        ]
    }
}

Human Readable Output#

Risk Detections List#
Current page size: 2 Showing page 1 out others that may exist |Id|User Id|User Display Name|User Principal Name|Risk Detail|Risk Event Type|Risk Level|Risk State|Risk Detail|Last Updated Date Time|Ip Address| |---|---|---|---|---|---|---|---|---|---|---| | 555 | 777 | Shalev Israeli | ShalevI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-20T03:53:58.853418Z | 1.1.1.1 | | 888 | 999 | Svetlana Israeli | SvetlanaI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-27T19:19:44.4975416Z | 1.1.1.1 |

azure-risky-users-risk-detection-get#

Read the properties and relationships of a riskDetection object.

Base Command#

azure-risky-users-risk-detection-get

Input#

Argument Name	Description	Required
id	ID of risk detection to retrieve.	Required

Context Output#

Path	Type	Description
AzureRiskyUsers.RiskDetection.id	String	Unique ID of the risk detection. Inherited from entity.
AzureRiskyUsers.RiskDetection.userId	String	Unique ID of the user.
AzureRiskyUsers.RiskDetection.userDisplayName	String	The user display name of the user.
AzureRiskyUsers.RiskDetection.userPrincipalName	String	The user principal name (UPN) of the user.
AzureRiskyUsers.RiskDetection.riskDetail	String	Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskEventType	String	The type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic
AzureRiskyUsers.RiskDetection.riskLevel	String	Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskState	String	The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.ipAddress	String	Provides the IP address of the client from where the risk occurred.
AzureRiskyUsers.RiskDetection.source	String	Source of the risk detection. For example, activeDirectory.
AzureRiskyUsers.RiskDetection.detectionTimingType	String	Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue.
AzureRiskyUsers.RiskDetection.lastUpdatedDateTime	Date	Date and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.location	String	Location of the sign-in.
AzureRiskyUsers.RiskDetection.activity	String	Indicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue.
AzureRiskyUsers.RiskDetection.activityDateTime	Date	Date and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.additionalInfo	String	Additional information associated with the risk detection in JSON format.
AzureRiskyUsers.RiskDetection.correlationId	String	Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.detectedDateTime	Date	Date and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.requestId	String	Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.tokenIssuerType	String	Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue.

Command Example#

!azure-risky-users-risk-detection-get id=6565

Context Example#

{
    "AzureRiskyUsers": {
        "RiskDetection": {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskDetections/$entity",
            "activity": "signin",
            "activityDateTime": "2021-07-03T13:35:38.8773806Z",
            "additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; SM-G950F Build/PPR1.180610.011) ;SM-G950F\"}]",
            "correlationId": "aaaa3333",
            "detectedDateTime": "2021-07-03T13:35:38.8773806Z",
            "detectionTimingType": "realtime",
            "id": "6565",
            "ipAddress": "3.3.3.3",
            "lastUpdatedDateTime": "2021-07-03T13:38:04.6531838Z",
            "location": {
                "city": "Lviv",
                "countryOrRegion": "UA",
                "geoCoordinates": {
                    "latitude": 49,
                    "longitude": 24
                },
                "state": "L'vivs'ka Oblast'"
            },
            "requestId": "bbbb33333",
            "riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
            "riskEventType": "unfamiliarFeatures",
            "riskLevel": "low",
            "riskState": "remediated",
            "source": "IdentityProtection",
            "tokenIssuerType": "AzureAD",
            "userDisplayName": "Svetlana Israeli",
            "userId": "999",
            "userPrincipalName": "SvetlanaI@test.com"
        }
    }
}

Human Readable Output#

Found Risk Detection with ID: 6565#
Id User Id User Display Name User Principal Name Risk Detail Risk Event Type Risk Level Risk State Ip Address Detection Timing Type Last Updated Date Time Location
6565 999 Svetlana Israeli SvetlanaI@test.com userPassedMFADrivenByRiskBasedPolicy unfamiliarFeatures low remediated 3.3.3.3 realtime 2021-07-03T13:38:04.6531838Z city: Lviv
state: L'vivs'ka Oblast'
countryOrRegion: UA
geoCoordinates: {"latitude": 49, "longitude": 24}